Zero is an Active Directory beginner box from cyberseclabs.co.uk which exploits a recently released critical vulnerability for Active Directory environments dubbed “zerologon” which allows for instant escalating to Domain Admin. Let’s try this one out!
Table of Contents
A quick nmap scan should do the job for this box, the only information we need is RPC, but it’s always a good idea to run a full scan just to get an idea of what else is on the box.
nmap -sCV -p- 172.31.1.29
PORT STATE SERVICE VERSION 53/tcp open domain? 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-25 02:51:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Zero.csl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Zero.csl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: ZERO | NetBIOS_Domain_Name: ZERO | NetBIOS_Computer_Name: ZERO-DC | DNS_Domain_Name: Zero.csl | DNS_Computer_Name: Zero-DC.Zero.csl | Product_Version: 10.0.17763 |_ System_Time: 2020-09-25T02:53:53+00:00 | ssl-cert: Subject: commonName=Zero-DC.Zero.csl | Issuer: commonName=Zero-DC.Zero.csl | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-09-23T21:38:22 | Not valid after: 2021-03-25T21:38:22 | MD5: 3683 bd36 cdde dee0 bdc9 5126 3f19 8933 |_SHA-1: 35a8 b567 26fc c755 4ed9 b35d 693a 2d44 aa8c 5bc7 |_ssl-date: 2020-09-25T02:54:07+00:00; -1s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 21837/tcp filtered unknown 35084/tcp filtered unknown 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found
The only thing of interest to us here is the RPC script info the nmap got for us as this is the information we’ll need to exploit ZeroLogon (There isn’t anything that points to this vuln aside from the machine being a DC, if you don’t have previous knowledge concerning ZeroLogon, this box is going to be rather perplexing).
The exploit for this box, dubbed “ZeroLogon”, allows us to instantly take over a Domain Controller by changing the machine password to an empty string. For a detailed explanation on the interworkings of this exploit, I found this. This exploit requires us to have the latest version of impacket and even then it might throw issues. The easiest way to do this is to set up virtualenv and install and run the exploit inside the virtualenv. This can be done by running the following commands (the installing line can be ignored if
virtualenv is already installed):
python3 -m pip install virtualenv python3 -m virtualenv impkt source impkt/bin/activate pip install git+https://github.com/SecureAuthCorp/impacket
Now that impacket is properly installed, we can pull down the ZeroLogon PoC which can be found here. Let’s try running the PoC and see if the box is vulnerable to ZeroLogon. For this we need the name of the Domain Controller (Zero-DC) and the IP of the box (172.31.1.29).
And it worked! Now that we’ve changed the machine password to an empty string, we can use an impacket tool called
secretsdump.py to dump the hashes on the machine.
We now have the hashes of the machine! We can use
psexec.py, another impacket tool to gain a system level shell on the box using the hashes we dumped.
We are system!