Breach is a Windows domain controller box. I’ll start by using guest access to a writable SMB share to drop ntlm_theft lure files, capturing a NetNTLMv2 hash for a domain user with Responder. After cracking that hash, I’ll use BloodHound to find a Kerberoastable MSSQL service account and crack its hash as well. Both accounts map to guest on MSSQL, but I’ll forge a silver ticket as Administrator to get sysadmin access, enable xp_cmdshell, and use GodPotato to escalate to SYSTEM.

0xdf hacks stuff

A Windows domain controller penetration test walkthrough demonstrating multiple attack techniques. Starting with guest SMB access, NTLM theft lure files are dropped to capture a NetNTLMv2 hash for a domain user. After cracking the hash, BloodHound reveals a Kerberoastable MSSQL service account whose hash is also cracked. Both accounts map to guest on MSSQL, but a silver ticket is forged as Administrator using the service account's NTLM hash to gain sysadmin access. With xp_cmdshell enabled, GodPotato is used to exploit SeImpersonatePrivilege and escalate to SYSTEM.

HTB: Breach