Bleeding Edge Vulnerabilities
A security practitioner should always be on edge regarding the most recent tactics and vulnerabilities. Some of them might be leveraged to gain access to the network or to elevate our privileges.
Make sure to understand the vulnerability and the exploit before attempting them in a production environment. You do not want to cause issue in the network of your client neither to disrupt any services.
noPAC (SamAccountName Spoofing)
This vulnerability encompasses CVEs 2021-42278 and 2021-42287.
The combination of these two vulnerabilities discovered at the end of 2021 allows an attacker to elevate his privilege from a standard user to domain admin in few seconds. For this attack to work, the standard user needs the right to add computer account to the domain. We can check for the ms-DS-MachineAccountQuota
attribute to check if users are allowed to add computer account. By default, domain users can join 10 account machines to the domain. When a user create computer accounts on a domain, he's granted the right to modify the attributes of that account. For example, a domain user could change the samAccount name of a computer account he owns to an arbitrary value.
The vulnerability arrives when a new machine account is created by an attacker and the samAccount name of that machine is changed for a samAccount name that match a Domain Controller, but without the trailing $
symbol at the end that usually characterized samAccount name of machine accounts. Then, an attacker can request a TGT to the Key Distribution Center and reset the samAccount name of the computer account to its previous value. Then, the attacker can request a TGS for any services in the domain. Since no more user exists that match the samAccount name the TGT was issued for, the KDC will create a service ticket for the user with the samAccount name that is the best match possible. The KDC will issue a ticket service with the permission of the Domain Controller whose samAccount name is similar, and adding the $
at the end. From there, we have the entire control over the domain and we can perform a DCSync attack or dump the entire NDTS.dit database.
The flow of this attack is well detailed in this article.
We can use the following tool to determine whether or not our our domain target is vulnerable to the noPAC vulnerability. This tool requires Impacket to be installed on our attacker machine.
Scanning for noPac
This command can be issued to scan for the noPac vulnerability. If a TGT is issued, the target domain is vulnerable.
The following image shows that the domain ms-DS-MachineAccountQuota setting is set to 10. Users have rights to add up to then computer account to the domain. From the scan output, we can also observe that a TGT has been issued from the DC.
Getting a shell on the Domain Controller as Administrator
The following command allows an attacker to gain a shell as SYSTEM on the DC. However, this command can be blocked by AV/EDR and can trigger a security alert. The ticket .ccache
will be saved in the current directory we are into. The commands will get executed via two SMB services newly created (BTOBTO &BTOBO) and a script in a .bat
file that is generated, executed and deleted each time a command is issued. The result of the command is also returned in a _output
file that get deleted after the command get executed. The use of smbexec.py is not very OPSEC safe. The script smbexec.py gives a semi-interactive shell.
With a semi interactive session, we need to specify the entire path of the directory and we can not change directory with the cd
command.
DCSync attack
By impersonating the DC Administrator, we can also perform a DCSync attack or dump the hashes with secretdump.py. The command below aim to retrieve the hashes for the built-in Administrator of the ACADEMY-EA-DC-1 host.
Remove the .ccache
file when the attack is done.
PrintNightmare
PrintNightmare encompasses two vulnerabilities CVE-2021-34527 and CVE-2021-1675 both associated with the PrintSpooler service running on all Windows OS by default. This service can be think as an interface between the Windows operating system and a printer. It is used to manage all the job related to printing. Print spooler service run inside a process called spoolsv.exe
which is running as SYSTEM. The stem of this vulnerability is the Remote Procedure Call (RPC)call RpcAddPrinterDriverEx()
. This call is part of the Print System Remote Protocol and suffers from an authorization bug allowing everyone to add a printer driver remotely to the system. The intended behavior is that only Administrator and members of the Print Operator group are granted with the SeLoadDriverPrivilege
privilege which allows remote driver installation.
Printnightmare allows for remote code execution or local privilege escalation. An attacker could gain also access to the DC within the SYSTEM context if the server is vulnerable.
Here is Printnightmare proof of concept. The exploit requires a specific version of impacket twisted by the author cube0x0. This exploit abuses of the RpcAsyncAddPrinterDriver()
call allowing to load print driver remotely.
This exploit requires at least credentials for a low privilege users on the DC.
PrintNightmare can break the Print Spooler service which manage the print tasks. This can cause issues in the client network.
Enumeration of print protocols
The following command can be run to enumerate if the two print protocol targeted by the exploit are exposed on the DC. We are looking for the Print System Asynchronous Remote Protocol and the Print System Remote Protocol to be present.
Creating and hosting a malicious dll
Creation of an msfvenom .dll
exploit that is sending back a reverse shell on our attacker machine on the 172.16.5.x interface. The payload is hosted on our attacker machine in a SMB share. The .dll
is the arbitrary print driver that will be loaded on the remote system. When loaded, all the code contained in the .dll
will get executed by the spoolsv.exe service.
Execute the exploit
In the following command, the path points to our SMB share where we hosted the .dll
payload. What the exploit does is to load the fake print driver on the remote target.
If the target can access SMB share we should be able to obtain an elevated shell on the DC as SYSYEM since the spoolsv.exe service is running within the SYSTEM context. Note that the attacking host has two interfaces, the DC can only communicate with our attack host through the 172.16.5.x interface.
The image below shows that we gain a meterpreter session.
PetitPotam CVE-2021-36942
PetitPotam is a NTLM relay attack that works by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC).
By exploiting PetitPotam, an attacker can coerce a Windows host, such as a Domain Controller, to authenticate to an arbitrary host that the attacker control over port 445. Using a relay tool such as the script ntlmrelayx.py
, an attacker can relayed the authentication from the DC to any services accepting NTLM authentication. For example, the Certificate Web Enrollment Service supports HTTP NTLM authentication. This allows an attacker to relay the DC authentication attempt to this service and successfully request a certificate granting elevated privilege on the behalf of the DC. Because Kerberos supports certificates authentication via PKINIT, this certificate can be later used to request a TGT with the privileges of the Domain Controller to compromise the entire domain.
This attack is vector of attack is very powerful because an attacker does not need neither authentication or user interaction to coerce the Windows target host to authenticate to an arbitrary machine. The only things that an attacker needs is to have his attacker machine located in the internal network.
Attack Flow
Usually the HTTP endpoint for Certificate Enrollement Service can be find with this pattern:
In the Hack The Box example the HTTP endpoint for Web enrollement is: http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp
Starting NTLM relay on your attacker machine
This command starts the NTLM relay. Any NTLM authentication captured will be relayed to the AD CS Web Enrollment endpoint specified by the --targe
t flag. The --adcs and --template flags are used to request a certificate based on the DomainController certificate template.
Coerce the DC to authenticate to our attack host
Using the PetitPotam script, we will coerce the Domain Controller to authenticate to our attacker machine on its 172.16.5.x
interface.
We can observe that we captured the b64 certificate for the Domain Controller via NTLM relay.
Requesting a TGT Using gettgtpkinit.py
The next step is to request a TGT with the permission of the Domain Controller. This can be done remotely using the gettgtPKINIT.py
script.
The PKINITools supports the pfx-base 64 certificate.
Alternatively, we can convert the b64 certificate in pfx format. Uses -cert-pfx
flag with gettgtpkinit instead.
Setting the Kerberoast ticket as environment variable.
Option 1: Dumping the NTDS.dit database using the Domain Controller TGT
Now, that we have the Domain Controller TGT, the attacker can conduct a DCSync attack and dump all NTDS.dit hashes.
Option 2: Submitting a TGS Request for Ourselves Using getnthash.py
Another avenue that we can take once we have the TGT domain controller is to request a TGS for ourself. In theory, when we are using PKINIT to request a TGT, the KDC will embed users authentication information (such as the NT and LM hash) within that ticket in the PAC_CREDENTIAL_INFO
headers of the Privileged Attributes Certificate (PAC). This information is encrypted and can be decrypted with a session key obtained when requesting the TGT.
The getnthash script from Impacket can be used to retrieve the NT hash of the domain controller.
Then, using secretsdump.py
we can use this hash to conduct a DCSync attack using the -hashes
flag.
On a Windows System
From a Windows system, the tool Rubeus can be used to perform a Pass-the-ticket attack (PTT) once we gained acces to the base 64 domain controller certificate.
The command below aim to 1) ask for a TGT for the domain controller 2) perform a PTT attack.
Then, we could use Mimikatz to perform a DCSync attack and retrieve the NT hash of any privileged account. The command below aim to dump the krbtgt NT hash.
Mitigation
Only allows HTTPS connection and require SSL for the Certificate Authority Web Enrollment and the Certificate Enrollment Web Service services;
Disabling NTLM authentication for the DC;
Disabling NTLM for the AD CS using Group Policy;
Disabling NTLM for web servers when the Certificate Authority Web Enrollment and Certificate Enrollement Web Services services are in use.
Last updated