UI
Search…
UI
ABOUT US
UNSAFE
sAMAccountName Spoofing in the Forest
Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
Netcat Relay
Hiren's BootCD in the AD
Abusing LAPS
INLINE
0DAY
Multiple ManageEngine Applications Critical Information Disclosure Vulnerability
Thecus N4800Eco Nas Server Control Panel Comand Injection
ManageEngine ADSelfService Plus 6.1 CSV Injection (CVE-2021-33256)
Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
KLOG Server Unauthenticated Command Injection (CVE-2020-35729)
Pearson Vue - VUEApplicationWrapper Unquoted Service Path (CVE-2020-36154)
Intel(r) Management and Security Application 5.2 - UNS Unquoted Service Path
BRAdmin Professional 3.75 - Unquoted Service Path
Powered By GitBook
sAMAccountName Spoofing in the Forest
Exploiting sAMAccountName spoofing (CVE-2021-42278 & CVE-2021-42287) from the child domain can led to compromise the parent domain

Description

Parent domain can be compromised from a user of the child domain using the noPac.exe (sAMAccountName spoofing exploit) is written by cube0x0. I notice that he didn't refer example command to compromise the parent domain.
Forest Information
unsafe.local = parent domain
gotham.unsafe.local = child domain
user1 = user of the gotham domain
For above scenario, you must set -dc parameter as a domain controller of the parent domain without specifying -domain parameter because if you specify a parent domain name with the credentials of a child domain user, invalid credentials error occurs in the NetworkCredential class.
If you specify the child domain name, a machine account will be added to gotham.unsafe.local by the noPac exploit and it fails our objective. So NetworkCredential.argDomain should be empty. Username and password are enough to connect parent DC successfully. (trust relations) We can see this adding line 399.
The domain name that is required for adding a machine will be extracted from the specified DC name (line 421).
Commands
noPac.exe -user [child-user] -pass [pass] -dc [parent-dc] -mAccount [machine-name] -mPassword [machine-pass] -service cifs -ptt
dir \\parent-dc\c$

Reference

Previous
UNSAFE
Next
Pass-the-Hash Attack Over Named Pipes Against ESET Server Security
Last modified 6mo ago
Copy link
Outline
Description
Reference