blackarrowsec / redteam-research Goto Github PK
View Code? Open in Web Editor NEWCollection of PoC and offensive techniques used by the BlackArrow Red Team
Collection of PoC and offensive techniques used by the BlackArrow Red Team
Target DC: Windows Server 2012 R2 with none patch.
local env: Kali linux, python 3.8.5
root@kali:/opt/redteam-research/CVE-2020-1472# python3 CVE-2020-1472.py WIN-CSMHCU65E3A Administrator 192.168.1.101
[!] CVE-2020-1472 PoC by BlackArrow (Tarlogic)
Performing authentication attempts...
===================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Success! DC can be fully compromised by a Zerologon attack. (attempt=499)
Traceback (most recent call last):
File "CVE-2020-1472.py", line 153, in <module>
passwordSet2(rpc_con, nbios_name, computer)
File "CVE-2020-1472.py", line 134, in passwordSet2
resp = dce.request(request)
File "/usr/lib/python3/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 877, in request
raise exception
impacket.dcerpc.v5.nrpc.DCERPCSessionError: NRPC SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
Hello,
I've compiled the code for storsvc with only 1 change, which is windows 10 to windows 11 in storsvc_c.c. And when I ran the RpcClient.exe binary on a Windows 11 system, I encountered an error:
Exception: 1753 - 0x000006d9
When trying to look for more information on this error code, I found mostly issues around Windows Firewall service. However, Windows Firewall service is running on my box. So I'm just wondering if you encountered this issue before, and how you'd fix it.
Thanks!
Exception: 1753 - 0x000006d9
So I have this Windows 10 21H2 with the following precise version :
I build both RpcClient.exe and SprintCSP.dll without changing anyhting, I kept the default command in the DLL as for the define macro. I have a writable SYSTEM path "C:\python" where I put the DLL, I monitored the execution of RpcClient.exe with ProcMon and I can see the loading of the DLL :
It is laoded while I start RpcClient but the command is not executed (I tried different commands).
I noticed this error :
I tried changing autorisations to full for everybody but it didn't do anything.
What is the problem? What did I do wrong?
Feel free to ask me for more informations
(Obviously Windows Defender is asleep)
Edit: I tried with a Windows 10 21H1 version 10.0.19043.928 and I get the same result, search a bit through Internet for "FILE LOCKED ONLY FOR READERS" and it may seems linked with the fact that the files (.dll and .exe) come from a Shared folder (VMware shared folder between the victim VM and my host), I'll try to compile everything on the VM.
Second edit: i actually build everything on the target machine and it worked. But building everything on the machine you want to privesc is not really stealth and accurate for redteam. Do you know why I get the error in ProcMon when i compile files on my host machine and not on the target?
Hey,
everything works fine when i execute as normal user
but it gives Error: 1314 when using as NT System
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348
Hi. Do you have string for windows 2016?
static const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface = { sizeof(RPC_CLIENT_INTERFACE), #if defined(WIN10) {{0xbe6293d3,0x2827,0x4dda,{0x80,0x57,0x85,0x88,0x24,0x01,0x24,0xc9}},{0,0}}, #endif #if defined(WIN11) {{0xec029036,0x297f,0x4f3a,{0xa1,0x69,0x7a,0x2f,0xef,0xa5,0xcc,0x3e}},{0,0}}, #endif #if defined(WIN2019) {{0xbe7f785e,0x0e3a,0x4ab7,{0x91,0xde,0x7e,0x46,0xe4,0x43,0xbe,0x29}},{0,0}}, #endif #if defined(WIN2022) {{0xd8140e00,0x5c46,0x4ae6,{0x80,0xac,0x2f,0x9a,0x76,0xdf,0x22,0x4c}},{0,0}}, #endif {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 0, 0, 0, 0, &DefaultIfName_ProxyInfo, 0x02000000 };
Hi there,
Hope you guys are doing great & Thank you for your efforts in demonstrating this exploit.
Am trying to run the exploit on windows server 2012 R2 Datacenter & am facing the following exception [ Exception: 1753 - 0x000006d9 ]. I do think it has something to do with the RPC UUID (macro) defined in [ storsvc_c.c {lines: 4 & 64 ].
It would help a lot if you guys could help in giving the right RPC UUID (macro) for windows server 2012 R2 Datacenter.
Thanks once again.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.