Windows
Last updated
Was this helpful?
Last updated
Was this helpful?
/
This was a flaw in the Kerberos protocol, which could be leveraged along with standard domain user credentials to elevate privileges to Domain Admin. A Kerberos ticket contains information about a user, including the account name, ID, and group membership in the Privilege Attribute Certificate (PAC). The PAC is signed by the KDC using secret keys to validate that the PAC has not been tampered with after creation.The vulnerability allowed a forged PAC to be accepted by the KDC as legitimate. This can be leveraged to create a fake PAC, presenting a user as a member of the Domain Administrators or other privileged group. For more info see .
to get TGT
The Printer Bug is a flaw in the MS-RPRN protocol (Print System Remote Protocol). This protocol defines the communication of print job processing and print system management between a client and a print server. To leverage this flaw, any domain user can connect to the spool's named pipe with the RpcOpenPrinter method and use the RpcRemoteFindFirstPrinterChangeNotificationEx method, and force the server to authenticate to any host provided by the client over SMB. The spooler service runs as SYSTEM and is installed by default in Windows servers running Desktop Experience.
Using PowerShell, get a list of Windows boxes (servers are usually priority)
Attempt to coerce the Domain Controller to authenticate to our ntlmrelayx
Obtain the User and the Base64 encoded certificate for the Domain Controller from ntlmrelayx.
Set the KRB5CCNAME environment variable, so our attack host uses this file for Kerberos authentication attempts
Now we can use the TGT to perform various attack
This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller. By default, authenticated users can add up to 10 computers to a domain. When doing so, we change the name of the new host to match a Domain Controller's SamAccountName. Once done, we must request Kerberos tickets causing the service to issue us tickets under the DC's name instead of the new name. When a TGS is requested, it will issue the ticket with the closest matching name. Once done, we will have access as that service and can even be provided with a SYSTEM shell on a Domain Controller.
Check if the system is vulnerable
Attack the target. (This could be "noisy" or may be blocked by AV or EDR)
Impersonate the built-in administrator account and drop into a semi-interactive shell session (smbexec.py) on the target Domain Controller.
Install cube0x0's Version of Impacket
We can use rpcdump.py to see if "Print System Asynchronous Protocol" and "Print System Remote Protocol" are exposed on the target.
Now we can use MSF to configure & start a multi handler.
With the share hosting our payload and our multi handler listening for a connection, we can attempt to run the exploit against the target.
ex: <PATH> = C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Check permission with icacls <PATH>
Get 2 malicious.exe and renames with the name of the service exe.
Run exploit
Check permission with icacls <PATH> (all F)
Since MaliciousExe1 is no longer a valid, exchange it with the second
Now run the malicious file as system
Right Click on hhupd.exe > Run as administrator
> Show information about the publisher's certificate > General > Link on "Issued by" and close
Now we have a browser open as system.
Right Click on browser > Save as > c:\windows\system32\cmd.exe in the path
MS14-068
,
,
MS16-032
MS17-010
to open a privileged session using the obtained TGT and PsExec
Set
With see if the Spooler Service is listening
Now, with or , ask the service to authenticate against an arbitrary host
With see if the Spooler Service is listening
Now, with, ask the service to authenticate against an arbitrary host
The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC). This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS). For more info, see link.
Use to attempt to locate the Web Enrollment URL for the CA host.
Start , specifying the Web Enrollment URL for the CA host and using either the KerberosAuthentication or DomainController AD CS template.
Use
Or, if initial access has been established to a domain joined system, use
Use EFS module in .
Use PowerShell implementation of the tool .
Use to request a TGT for the domain controller.
From get TGT info with klist command (default principal)
Then use to perform DCSync
Then use from PKINITtools to request the NT hash
Alternatively, once we obtain the base64 certificate via ntlmrelayx, we could use the certificate with the tool on a Windows attack host to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once.
is a bypass vulnerability with the Security Account Manager (SAM). is a vulnerability within the Kerberos Privilege Attribute Certificate (PAC) in ADDS.
Install
Use
We could then use the TGT ccache file to perform a and perform further attacks such as . We can also use the tool with the -dump flag to perform a DCSync using secretsdump.py.
that execute a malicious DLL.
After confirming this, we can crafting a DLL payload using
We will then host this payload in an
in powershell implementation.
: Privilege Escalation with or , or with service that runs in the context of SYSTEM and is startable by unprivileged users.
Use that contains a certificate with the SpcSpAgencyInfo field populated with a hyperlink.
SMB v1 vulnerability,
RDP vulnerability,