19 - Misc Misconfigs

# Exchange Related Group Membership - Default installation of Microsoft Exchange within an AD environment (with no split-administration model) opens up many attack vectors, as Exchange is often granted considerable privileges within the domain (via users, groups, and ACLs) - If we are able to compromise an Exchange server, this will often lead to Domain Admin privileges - Additionally, dumping credentials in memory from an Exchange server will produce 10s if not 100s of cleartext credentials or NTLM hashes - This is often due to users logging in to Outlook Web Access (OWA) and Exchange caching their credentials in memory after a successful login - The group `Exchange Windows Permissions` is not listed as a protected group, but members are granted the ability to write a DACL to the domain object - This can be leveraged to give a user DCSync privileges - An attacker can add accounts to this group by leveraging a DACL misconfiguration (possible) or by leveraging a compromised account that is a member of the Account Operators group - The group `Organization Management` is another extremely powerful group (effectively the "Domain Admins" of Exchange) and can access the mailboxes of all domain users. It is not uncommon for sysadmins to be members of this group ![[images/Pasted image 20251106133742.png]] - This group also has full control of the OU called `Microsoft Exchange Security Groups`, which contains the group `Exchange Windows Permissions` # PrivExchange - Attack that results from a flaw in the Exchange Server `PushSubscription` feature, which allows any domain user with a mailbox to force the Exchange server to authenticate to any host provided by the client over HTTP # Printer Bug - This is a flaw in the MS-RPRN protocol (Print System Remote Protocol), which defines the communication of print job processing and print system management between a client and a print server - To leverage this flaw, any domain user can connect to the spool's named pipe with the `RpcOpenPrinter` method and use the `RpcRemoteFindFirstPrinterChangeNotificationEx` method, and force the server to authenticate to any host provided by the client over SMB - We can use tools such as the `Get-SpoolStatus` module from [this](http://web.archive.org/web/20200919080216/https://github.com/cube0x0/Security-Assessment) tool (that can be found on the spawned target) or [this](https://github.com/NotMedic/NetNTLMtoSilverTicket) tool to check for machines vulnerable to the [MS-PRN Printer Bug](https://blog.sygnia.co/demystifying-the-print-nightmare-vulnerability) - Enumerate print bug with `GetSpoolStatus` ```powershell PS C:\htb> Import-Module .\SecurityAssessment.ps1 PS C:\htb> Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL ComputerName Status ------------ ------ ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL True ``` # MS14-068 - Flaw in the Kerberos protocol, which could be leveraged along with standard domain user credentials to elevate privileges to Domain Admin - Vuln allows a forged PAC to be accepted by the KDC as legitimate. This can be leveraged to create a fake PAC, presenting a user as a member of the Domain Administrators or other privileged group. It can be exploited with tools such as the [Python Kerberos Exploitation Kit (PyKEK)](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek) or the Impacket toolkit - Mitigated by patching # Sniffing LDAP creds - Many applications and printers store LDAP credentials in their web admin console to connect to the domain - These consoles are often left with weak or default passwords - Sometimes, these credentials can be viewed in cleartext - Other times, the application has a `test connection` function that we can use to gather credentials by changing the LDAP IP address to that of our attack host and setting up a `netcat` listener on LDAP port 389 - When the device attempts to test the LDAP connection, it will send the credentials to our machine, often in cleartext # Enumerating DNS Records - If we have valid creds for a domain user account, we can can enumerate all DNS records in a domain use a tool such as [adidnsdump](https://github.com/dirkjanm/adidnsdump) - Enumerate all DNS records ```bash adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 less records.csv #view th eoutput and looks for interesting records ``` - Enumerate all DNS records again with `-r` flag, which attempts ot resolve unknown records by performing an A query ```bash adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r less records.csv #view th eoutput and looks for interesting records ``` # Other Misconfigurations ## Passwords in Description Field - Sensitive information such as account passwords are sometimes found in the user account `Description` or `Notes` fields and can be quickly enumerated using `PowerView` ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} samaccountname description -------------- ----------- administrator Built-in account for administering the computer/domain guest Built-in account for guest access to the computer/domain krbtgt Key Distribution Center Service Account ldap.agent *** DO NOT CHANGE *** 3/12/2012: Sunsh1ne4All! ``` ## PASSWD_NOTREQD Field - It is possible to come across domain accounts with the [passwd_notreqd](https://ldapwiki.com/wiki/Wiki.jsp?page=PASSWD_NOTREQD) field set in the `userAccountControl` attribute - If this is set, the user is not subject to the current password policy length, meaning they could have a shorter password or no password at all (if empty passwords are allowed in the domain) - A password may be set as blank intentionally (sometimes admins don’t want to be called out of hours to reset user passwords) or accidentally hitting enter before entering a password when changing it via the command line - We can use `PoweerView` to enumerate this attribute ```powershell PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol samaccountname useraccountcontrol -------------- ------------------ guest ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD mlowe PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD ehamilton PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD $725000-9jb50uejje9f ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT nagiosagent PASSWD_NOTREQD, NORMAL_ACCOUNT ``` ## Creds in SMB Shares and SYSVOL scripts - The `SYSVOL` share can be a treasure trove of data, especially in large organizations. We may find many different batch, VBScript, and PowerShell scripts within the scripts directory, which is readable by all authenticated users in the domain ```powershell PS C:\htb> ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Directory: \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 11/18/2021 10:44 AM 174 daily-runs.zip -a---- 2/28/2022 9:11 PM 203 disable-nbtns.ps1 -a---- 3/7/2022 9:41 AM 144138 Logon Banner.htm -a---- 3/8/2022 2:56 PM 979 reset_local_admin_pass.vbs PS C:\htb> cat \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts\reset_local_admin_pass.vbs On Error Resume Next strComputer = "." Set oShell = CreateObject("WScript.Shell") sUser = "Administrator" sPwd = "!ILFREIGHT_L0cALADmin!" Set Arg = WScript.Arguments If Arg.Count > 0 Then sPwd = Arg(0) 'Pass the password as parameter to the script End if 'Get the administrator name Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") <SNIP> ``` ## GPP Passwords - When a group policy preferences (GPP) is created, an `.xml` file is created in the `SYSVOL` share - These files can include those used to: - Map drives (drives.xml) - Create local users - Create printer config files (printers.xml) - Creating and updating services (services.xml) - Creating scheduled tasks (scheduledtasks.xml) - Changing local admin passwords. - The `cpassword` attribute value is AES-256 bit encrypted, but Microsoft [published the AES private key on MSDN](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be?redirectedfrom=MSDN), which can be used to decrypt the password - Any domain user can read these files as they are stored on the SYSVOL share, and all authenticated users in a domain, by default, have read access to this domain controller share - We can decrypt the `cpassword` attribute value using `gpp-decrypt` ```bash gpp-decrypt <cpassword_attr_value> ``` - We can use `nxc` to enumerate GPP passwords ```bash netexec smb -L | grep gpp #shows info re intersection of nxc and gpp netexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin ```