Bleeding Edge Vulnerabilities
NoPac (SamAccountName Spoofing)
Sam_The_Admin vulnerability hay cΓ²n gα»i lΓ noPac hoαΊ·c SamAccountName Spoofing Δược release vΓ o 2021. Lα» hα»ng nΓ y bao gα»m 2 CVEs lΓ CVEs 2021-42278 vΓ 2021-42287, cho phΓ©p privilege escalation tα»« bαΊ₯t kΓ¬ domain user nΓ o lΓͺn Domain Admin vα»i mα»t lα»nh duy nhαΊ₯t.
Exploit path nΓ y tαΊn dα»₯ng lợi thαΊΏ của viα»c thay Δα»i SamAccountName của computer account thΓ nh Domain Controller. Default thΓ¬ mα»t ngΖ°α»i dΓΉng cΓ³ thα» authenticated trΓͺn tα»i Δa 10 computers, ta phαΊ£i change pcname cho host mα»i Δα» khα»p.
Tham khαΊ£o blog: https://www.secureworks.com/blog/nopac-a-tale-of-two-vulnerabilities-that-could-end-in-ransomware
Sα» dα»₯ng tool: https://github.com/Ridter/noPac
DΓΉng scanner.py Δα» scan xem system cΓ³ dΓnh vulnerable hay khΓ΄ng vΓ noPac.py Δα» exploit to shell NT AUTHORITY/SYSTEM.
Scanner sαΊ½ dΓΉng domain user account thΓ΄ng thΖ°α»ng Δα» attempt TGT ticket tα»« domain controller. NαΊΏu thΓ nh cΓ΄ng Δiα»u nΓ y cho thαΊ₯y system ΔΓ£ dΓnh vulnerable, vΓ ms-DS-MachineAccountQuota Δược set thΓ nh 10. Mα»t sα» trΖ°α»ng hợp sα» dα»₯ng attack nΓ y thαΊ₯t bαΊ‘i vΓ¬ user khΓ΄ng cΓ³ quyα»n thΓͺm vΓ o machine mα»i, do ms-DS-MachineAccountQuota ΔαΊ·t thΓ nh 0.
sudo python3 scanner.py domain/user:password -dc-ip <DC IP> -use-ldap$> sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap
βββ ββ ββββββ ββββββ βββββ ββββββ
ββββ ββ ββ ββ ββ ββ ββ ββ ββ
ββ ββ ββ ββ ββ ββββββ βββββββ ββ
ββ ββ ββ ββ ββ ββ ββ ββ ββ
ββ ββββ ββββββ ββ ββ ββ ββββββ
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 172.16.5.5. Ticket size 1484
[*] Got TGT from ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL. Ticket size 663LαΊ₯y shell vα»i SYSTEM level privileges, ta cΓ³ thα» chαΊ‘y noPac.py Δα» impersonate built-in administrator account vΓ drop ra semi-interactive shell trΓͺn target domain controller. Nhược Δiα»m lΓ tαΊ‘o noise dα» bα» AV/EDR phΓ‘t hiα»n.
TGT sαΊ½ Δược lΖ°u trΓͺn folder hiα»n tαΊ‘i vΓ cΓ³ thα» Δược sα» dα»₯ng Δα» pass-the-ticket/DCSync. Sα» dα»₯ng flag -dump Δα» thα»±c hiα»n DCSync bαΊ±ng secretdump.py.
Windows Defender & SMBEXEC.py Considerations
Vα»i smbexec.py:
TαΊ‘o service vα»i tΓͺn
BTOBTOBαΊ₯t kΓ¬ command nΓ o Δược gα»i tα»« SMB tα»i target host Δα»u Δược lΖ°u trong file execute.bat.
Temporary file execute.bat Δược tαΊ‘o vΓ xΓ³a ngay sau khi chαΊ‘y xong.
β Windows Defender ΔΓ£ thαΊ₯y ΔΓ’y lΓ behavior malicious. Bα» qua technique nΓ y.
PrintNightmare
PrintNightmare lΓ nickname Δược ΔαΊ·t cho 2 lα» hα»ng CVE-2021-34527 vΓ CVE-2021-1675 phΓ‘t hiα»n trong Print Spooler service Δược chαΊ‘y trΓͺn tαΊ₯t cαΊ£ phiΓͺn bαΊ£n của Windows. Nhiα»u exploit Δược viαΊΏt dα»±a trΓͺn vulnerable nΓ y cho phΓ©p privilege escalation vΓ RCE.
Sα» dα»₯ng exploit: https://github.com/cube0x0/CVE-2021-1675
Exploit nΓ y ΔΓ£ Δược ΔΖ°a vΓ o Impacket vα»i tΓͺn lΓ rdcdump.py Δα» xem Print System Asynchronous Protocol vΓ Print System Remote Protocol cΓ³ Δược exposed trΓͺn target hay khΓ΄ng.
Enumerating for MS-RPRN
Generating a DLL Payload
Host payload nΓ y trΓͺn mα»t SMB share của attack host vα»i smbserver.py
Sα» dα»₯ng MSF Δα» config vΓ start multi handler chα»u trΓ‘ch nhiα»m catching reverse shell Δược execute trΓͺn target.
Running the Exploit
Check MSF Δang chαΊ‘y ΔΓ£ drop ra shell vα»i NT AUTHORITY\SYSTEM privileges trΓͺn DC.
PetitPotam (MS-EFSRPC)
PetitPotam (CVE-2021-36942) lΓ mα»t lα» hα»ng LSA spoofing, cho phΓ©p unauthenticated attacker "Γ©p" DC thα»±c hiα»n NTLM authentication tα»i mα»t host do attacker kiα»m soΓ‘t.
Attack chain:
PetitPotam -> ép DC phải authenticate bằng NTLM sang mÑy chủ attacker (relay server - port 445 ( Local Security Authority Remote Protocol (LSARPC))).
Responder/NTLMRelayX -> relay NTLM của DC sang AD CS Web Enrollment.
Gα»i CSR hợp lα» -> CA cαΊ₯p certificate cho tΓ i khoαΊ£n DC (machine account).
Certificate của DC -> dΓΉng PKINIT Tools hoαΊ·c Rubeus -> lαΊ₯y TGT -> DCSync -> domain compromise.
KhΓ΄ng cαΊ§n user account. KhΓ΄ng cαΊ§n RCE. Chα» cαΊ§n misconfig AD CS.
Tham khαΊ£o: https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
TrΖ°α»c hαΊΏt, sα» dα»₯ng ntlmrelayx.py chα» Δα»nh Web Enrollment URL cho CA host.
Listen NTLM authentication ΔαΊΏn tα»« Domain Controller (vΓ¬ tΓ nα»―a ta sαΊ½ Γ©p DC authenticate bαΊ±ng PetitPotam).
Khi nhαΊn Δược NTLM của DC -> tα»± Δα»ng relay sang trang Web Enrollment (
certsrv/) của Certificate Authority (CA).ΔΔng kΓ½ certificate theo template phΓΉ hợp (DomainController hoαΊ·c Machine).
Sau ΔΓ³ export certificate vα» cho attacker.
AD CS thΖ°α»ng bαΊt cΓ‘c endpoint HTTP:
http://<CA>/certsrv/http://<CA>/ADCSEnrollment/http://<CA>/certs/
Δα»ng thα»i vα»i ΔΓ³, ta chαΊ‘y PetitPotam.py.
PowerShell version: https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/PowershellScripts/Invoke-Petitpotam.ps1
Catching Base64 Encoded Certificate for DC01
Back lαΊ‘i cα»a sα» ntlmrelayx:
ΔΓ£ lαΊ₯y Δược certificate.
Requesting a TGT Using gettgtpkinit.py
Setting the KRB5CCNAME Environment Variable
TGT requested Δược lΖ°u vΓ o file dc01.ccache trΓͺn local file, set env variable KRB5CCNAME.
Sα» dα»₯ng secretsdump.py Δα» DCDync vΓ lαΊ₯y Δược tαΊ₯t cαΊ£ NTLM hash password trong domain.
Confirm khi ΔΓ£ cΓ³ NT hash của built-in Administrator account Δα» authenticate DC. Tα»« ΔΓ’y, attacker cΓ³ full control domain vΓ tα»« ΔΓ³ persistence, tΓ¬m cΓ‘c dα»― liα»u ngαΊ‘y cαΊ£m, tΓ¬m cΓ‘i misconfigurations khΓ‘c vΓ cΓ‘c lα» hα»ng trong hα» thα»ng.
Submitting a TGS Request for Ourselves Using getnthash.py
Sα» dα»₯ng getnthash.py tα»« PKINITtools, ta cΓ³ thα» request NT hash cho target host/user bαΊ±ng Kerberos U2U Δα» gα»i request TGS vα»i Privileged Attribute Certificate (PAC).
AS-REP ΔΓ£ Δược decrypted tα»« request TGT trΖ°α»c ΔΓ³.
Thu Δược NT hash, sα» dα»₯ng secretsdump.py Δα» DCSync.
Requesting TGT and Performing PTT with DC01$ Machine Account
NgoΓ i ra khi cΓ³ Δược base64 certificate thΓ΄ng qua ntlmrelayx.py, ta cΓ³ thα» sα» dα»₯ng cert nΓ y vα»i Ruberus trΓͺm Windows Δα» request TGT ticket vΓ thα»±c hiα»n pass-the-ticket attack cΓΉng mα»t lΓΊc.
Performing DCSync with Mimikatz
Ref:
Last updated