# AD Common Vulnerablities

### &#x20;Abusing ZeroLogon <a href="#lecture_heading" id="lecture_heading"></a>

We set up the domain controller password as null

{% embed url="<https://www.trendmicro.com/en_us/what-is/zerologon.html>" %}

{% embed url="<https://github.com/dirkjanm/CVE-2020-1472>" %}
exploit
{% endembed %}

{% embed url="<https://github.com/SecuraBV/CVE-2020-1472>" %}
SecuraBV ZeroLogon Checker
{% endembed %}

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FLTfdmegmNNfNui7ehutp%2Fimage.png?alt=media&#x26;token=5426e2c8-a3d5-4fc8-8f2d-ad33d58e7305" alt=""><figcaption><p>scanning</p></figcaption></figure>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FAIh8ywNSRplpyuGKVxg7%2Fimage.png?alt=media&#x26;token=d9968aeb-61fa-4ff6-89e9-968385928a21" alt=""><figcaption><p>Attacking</p></figcaption></figure>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FzKLXLeKY4UjLtQQJXM5E%2Fimage.png?alt=media&#x26;token=a4b98390-efd4-4f01-b663-f73280df0ec5" alt=""><figcaption><p>checking if attack is succesful</p></figcaption></figure>

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FxoKq5T3Ct0F1VfQlexqQ%2Fimage.png?alt=media&#x26;token=bd3850ec-1177-4b4c-b3ee-2da84dac8ec1" alt=""><figcaption><p>Restore Password</p></figcaption></figure>

### PrintNightmare (CVE-2021-1675) <a href="#lecture_heading" id="lecture_heading"></a>

{% embed url="<https://github.com/cube0x0/CVE-2021-1675>" %}
cube0x0 RCE
{% endembed %}

{% embed url="<https://github.com/calebstewart/CVE-2021-1675>" %}
calebstewart LPE
{% endembed %}

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F0iwX6lYD181oY3ToRsdI%2Fimage.png?alt=media&#x26;token=143a5820-d640-441e-89bd-231c63e6e679" alt=""><figcaption><p>scanning for if vulnerable</p></figcaption></figure>

Make a malicious dll

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F4BJltFIxQmSmk2XnN7Ja%2Fimage.png?alt=media&#x26;token=75390b3e-3322-4051-a58a-6ea5794111e2" alt=""><figcaption></figcaption></figure>

share the directory

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FAPGliUy5LpssUKjNgEwa%2Fimage.png?alt=media&#x26;token=f24352a2-90c6-4462-ad05-ad3f9d804440" alt=""><figcaption></figcaption></figure>

Exploitation

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FC67Fj0uhLgPgPhDwwXEl%2Fimage.png?alt=media&#x26;token=c14523e7-9175-42d9-ad7f-8438a1cc2e55" alt=""><figcaption></figcaption></figure>