{"id":1521,"date":"2025-03-08T05:34:05","date_gmt":"2025-03-08T05:34:05","guid":{"rendered":"https:\/\/hackmybox.com\/?p=1521"},"modified":"2025-09-08T16:22:30","modified_gmt":"2025-09-08T16:22:30","slug":"nopac-cve-2021-42278-cve-2021-42287","status":"publish","type":"post","link":"https:\/\/hackmybox.com\/index.php\/2025\/03\/08\/nopac-cve-2021-42278-cve-2021-42287\/","title":{"rendered":"Exploring NoPac (CVE-2021-42278 &amp; CVE-2021-42287)"},"content":{"rendered":"<div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-c0700e37\" data-vce-do-apply=\"all el-c0700e37\"><div class=\"vce-content-background-container\"><\/div><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-8f6db717\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-8f6db717\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-8f6db717\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-aeae6e71\" data-vce-do-apply=\"all el-aeae6e71\"><p>Recently explored some vulnerabilities related to Active Directory environments, including NoPac , PrintNightmare, and PetitPotam .&nbsp;<\/p><p>NoPac (CVE-2021-42278 &amp; CVE-2021-42287) a public exploit that was released in Dec 2021. This vulnerability allows attackers to escalate privileges from a standard domain user to Domain Admin in a single command by spoofing a Domain Controller's SamAccountName.&nbsp;<\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-959386c5\" data-vce-do-apply=\"all el-959386c5\"><p style=\"text-align: center;\"><span style=\"font-size: 14pt; color: #00ff00;\">&nbsp;The exploitation process<\/span><br><span style=\"font-size: 8pt;\">(Source: Secureworks.com)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-ac3a378d\" data-vce-do-apply=\"all el-ac3a378d\"><p><span style=\"color: #00ff00;\">1.<\/span> Create a new computer account in Active Directory (AD) with a random name, and then rename it to one of the domain controllers without the trailing $ (see Figure 1).<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-center\"><div class=\"vce vce-single-image-wrapper\" id=\"el-21bbada6\" data-vce-do-apply=\"all el-21bbada6\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 564px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 42.5532%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"564\" height=\"240\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/noPac_image1-320x136.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/noPac_image1-480x204.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/noPac_image1-564x240.png 564w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/noPac_image1-564x240.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/noPac_image1.png\" data-attachment-id=\"1525\"  alt=\"\" title=\"noPac_image1\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-97f71dd2\" data-vce-do-apply=\"all el-97f71dd2\"><p style=\"text-align: center;\"><span style=\"font-size: 8pt;\">Figure 1. Renaming a user account to spoof a domain controller. (Source: Secureworks)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-ec2cacf1\" data-vce-do-apply=\"all el-ec2cacf1\"><p><span style=\"color: #00ff00;\">2.<\/span> Request a Kerberos ticket-granting ticket (TGT) for the created computer account from step one. Once the ticket is granted, change the name of the computer account back to its original value (see Figure 2).<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-center\"><div class=\"vce vce-single-image-wrapper\" id=\"el-59616729\" data-vce-do-apply=\"all el-59616729\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 426px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 49.061%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"426\" height=\"209\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/NoPac_image2-320x157.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/NoPac_image2-426x209.png 426w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/NoPac_image2-426x209.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/NoPac_image2.png\" data-attachment-id=\"1526\"  alt=\"\" title=\"NoPac_image2\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-raw-html\"><div class=\"vce-raw-html-wrapper\" id=\"el-62dcf27b\" data-vce-do-apply=\"all el-62dcf27b\"><script async=\"\" src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1499161372675368\" crossorigin=\"anonymous\"><\/script>\n<ins class=\"adsbygoogle\" style=\"display:block\" data-ad-format=\"fluid\" data-ad-layout-key=\"-c2+73+2h-1m-4u\" data-ad-client=\"ca-pub-1499161372675368\" data-ad-slot=\"8728040126\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-448399d1\" data-vce-do-apply=\"all el-448399d1\"><p style=\"text-align: center;\"><span style=\"font-size: 8pt;\">Figure 2. Successful ticket request for spoofed domain controller. (Source: Secureworks)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-dd655b18\" data-vce-do-apply=\"all el-dd655b18\"><p><span style=\"color: #00ff00;\">3.<\/span> Request a Kerberos ticket granting service (TGS) for the Lightweight Directory Access Protocol (LDAP) service using the TGT from step two with the name of the spoofed domain controller from step one. Because there is no longer an account with that name, TGS chooses the closest match and appends an $. Access to the service is granted, and domain administrator access is acquired (see Figure 3).<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-center\"><div class=\"vce vce-single-image-wrapper\" id=\"el-c1f357e7\" data-vce-do-apply=\"all el-c1f357e7\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 397px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 67.0025%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"397\" height=\"266\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/noPac_image3-320x214.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/noPac_image3-397x266.png 397w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/09\/noPac_image3-397x266.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/noPac_image3.png\" data-attachment-id=\"1527\"  alt=\"\" title=\"noPac_image3\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-2b2d38ea\" data-vce-do-apply=\"all el-2b2d38ea\"><p style=\"text-align: center;\"><span style=\"font-size: 8pt;\">Figure 3. Successful service request for spoofed domain controller. (Source: Secureworks)<\/span><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-dc25ed8c\" data-vce-do-apply=\"all el-dc25ed8c\"><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-154b508f\" data-vce-do-apply=\"all el-154b508f\"><p style=\"text-align: center;\"><span style=\"font-size: 14pt; color: #ffff00;\">Command Brakedown<\/span><\/p><p style=\"text-align: center;\">(Insights From HTB :Bleeding Edge Vulnerabilities)<\/p><\/div><\/div><div class=\"vce-single-image-container vce-single-image--align-left\"><div class=\"vce vce-single-image-wrapper\" id=\"el-814e0858\" data-vce-do-apply=\"all el-814e0858\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 53.5156%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"548\" srcset=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/nopac-1024x548.png 1024w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/nopac-320x171.png 320w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/nopac-480x257.png 480w, https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/nopac-800x428.png 800w\" src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/nopac-1024x548.png\" data-img-src=\"https:\/\/hackmybox.com\/wp-content\/uploads\/2025\/03\/nopac.png\" data-attachment-id=\"1522\"  alt=\"\" title=\"nopac\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-f2781f40\" data-vce-do-apply=\"all el-f2781f40\"><p><span style=\"color: #00ff00;\">sudo python3 noPac.py INLANEFREIGHT.LOCAL\/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap<\/span><\/p><p><span style=\"color: #ffff00;\">INLANEFREIGHT.LOCAL\/forend:Klmcargo2:<\/span><\/p><ul><li><span style=\"color: #ffff00;\">INLANEFREIGHT.LOCAL:<\/span> This is the domain name in the Active Directory environment you're targeting.<\/li><li><span style=\"color: #ffff00;\">forend:<\/span> This is the username you're authenticating as in the domain INLANEFREIGHT.LOCAL.<\/li><li><span style=\"color: #ffff00;\">Klmcargo2:<\/span> This is the password for the forend user. It's being used here for authentication to the domain.<\/li><\/ul><p><span style=\"color: #ffff00;\">-dc-ip 172.16.5.5: <\/span>This option specifies the IP address of the Domain Controller (DC).<\/p><p><span style=\"color: #ffff00;\">-dc-host ACADEMY-EA-DC01:<\/span>&nbsp;This option specifies the hostname of the Domain Controller.<\/p><p><span style=\"color: #ffff00;\">-shell:<\/span> &nbsp;This option tells the script to attempt to spawn a shell after successful exploitation.<\/p><p><span style=\"color: #ffff00;\">--impersonate administrator:<\/span> &nbsp;This option tells the script to impersonate the administrator account after exploiting the vulnerability.<\/p><p><span style=\"color: #ffff00;\">-use-ldap:<\/span> &nbsp;This option specifies that the script should use LDAP (Lightweight Directory Access Protocol) to interact with the Domain Controller.<\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-042bcadc\" data-vce-do-apply=\"all el-042bcadc\"><p>&nbsp;<\/p><p style=\"text-align: center;\"><span style=\"font-size: 14pt; color: #00ff00;\">Breakdown of Output<\/span><\/p><p><span style=\"color: #ffff00;\">1. Selected Target ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL:<\/span><br>The script has selected the target Domain Controller (ACADEMY-EA-DC01) in the domain INLANEFREIGHT.LOCAL to perform the exploitation.<\/p><p><span style=\"color: #ffff00;\">2.Adding Computer Account \"WIN-N2SNSUFRU7T$\":<\/span><br>A new computer account (WIN-N2SNSUFRU7T$) is being created in the domain. This is a key part of the exploitation process.<\/p><p style=\"text-align: left;\"><span style=\"color: #ffff00;\">3.WIN-N2SNSUFRU7T$ sAMAccountName == ACADEMY-EA-DC01:<\/span><br>The sAMAccountName (Security Account Manager Account Name) of the new computer account <span style=\"color: #00ff00;\">WIN-N2SNSUFRU7T$<\/span> is changed to match the name of the target domain controller ACADEMY-EA-DC01. This is a critical step in exploiting the NoPac vulnerability.<\/p><p style=\"text-align: left;\"><span style=\"color: #ffff00;\">4. Using TGT from cache:<\/span><br>The TGT (Ticket Granting Ticket) from the cache file is used to request further tickets from the Kerberos Key Distribution Center (KDC) to gain access.<\/p><p style=\"text-align: left;\"><span style=\"color: #ffff00;\">5. Impersonating administrator:<\/span><br>The attacker is now impersonating the administrator account, using the TGT to request a S4U2self (Service for User to Self) ticket.<\/p><p style=\"text-align: left;\">6.<span style=\"color: #ffff00;\"> Requesting S4U2self:<\/span><br>S4U2self is a Kerberos extension that allows the attacker to request a service ticket for themselves while impersonating another user (in this case, the administrator).<\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-f3bd1335\" data-vce-do-apply=\"all el-f3bd1335\"><p style=\"text-align: center;\"><span style=\"color: #00ff00; font-size: 14pt;\">Conclusion<\/span><\/p><p>Studying CVEs and exploits, such as NoPac, is crucial&nbsp; as it provides hands-on knowledge of vulnerabilities and attack methods. This process helps develop the skills necessary to defend against real-world threats.<\/p><\/div><\/div><div class=\"vce vce-separator-container vce-separator--align-center vce-separator--style-solid\" id=\"el-bda5e2a9\" data-vce-do-apply=\"margin el-bda5e2a9\"><div class=\"vce-separator vce-separator--color-bfc0c1 vce-separator--width-60 vce-separator--thickness-1\" data-vce-do-apply=\"border padding background  el-bda5e2a9\"><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-7804c07d\" data-vce-do-apply=\"all el-7804c07d\"><p>Want to learn more and gain hands-on experience? Sign up with HTB Academy by clicking the link below.<\/p><\/div><\/div><div class=\"vce-button--style-basic-container vce-button--style-basic-container--align-center\"><span class=\"vce-button--style-basic-wrapper vce\" id=\"el-4be38786\" data-vce-do-apply=\"margin el-4be38786\"><a class=\"vce-button vce-button--style-basic vce-button--style-basic--border-rounded vce-button--style-basic--size-medium vce-button--style-basic--color-b-168-210-40--fff\" href=\"http:\/\/hacktheboxltd.sjv.io\/19DPP6\" title=\"\" data-vce-do-apply=\"padding border background  el-4be38786\">JOIN NOW<\/a><\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Recently explored some vulnerabilities related to Active Directory environments, including NoPac , PrintNightmare, and PetitPotam .&nbsp;NoPac (CVE-2021-42278 &amp; CVE-2021-42287) a public exploit that was released in Dec 2021. This vulnerability allows attackers to escalate privileges from a standard domain user to Domain Admin in a single command by spoofing a Domain Controller&#8217;s SamAccountName.&nbsp;&nbsp;The exploitation process(Source: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2008,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","site-transparent-header":"default","prose-style":"enable","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[18],"tags":[],"class_list":["post-1521","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory"],"_links":{"self":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/comments?post=1521"}],"version-history":[{"count":24,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1521\/revisions"}],"predecessor-version":[{"id":2062,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/posts\/1521\/revisions\/2062"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media\/2008"}],"wp:attachment":[{"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/media?parent=1521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/categories?post=1521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmybox.com\/index.php\/wp-json\/wp\/v2\/tags?post=1521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}