Semi Manual Exploit
Theory
In November 2021, two vulnerabilities caught the attention of many security researchers as they could allow domain escalation from a standard user.
CVE-2021-42278 - Name impersonation
Computer accounts should have a trailing $
in their name (i.e. sAMAccountName
attribute) but no validation process existed to make sure of it. Abused in combination with CVE-2021-42287, it allowed attackers to impersonate domain controller accounts.
CVE-2021-42287 - KDC bamboozling
When requesting a Service Ticket, presenting a TGT is required first. When the service ticket is asked for is not found by the KDC, the KDC automatically searches again with a trailing $
. What happens is that if a TGT is obtained for bob
, and the bob
user gets removed, using that TGT to request a service ticket for another user to himself (S4U2self) will result in the KDC looking for bob$
in AD. If the domain controller account bob$
exists, then bob
(the user) just obtained a service ticket for bob$
(the domain controller account) as any other user 🤯.
Machine Account
The ability to edit a machine account's sAMAccountName
and servicePrincipalName
attributes is a requirement to the attack chain. The easiest way this can be achieved is by creating a computer account (e.g. by leveraging the MachineAccountQuota domain-level attribute if it's greater than 0). The creator of the new machine account has enough privileges to edit its attributes. Alternatively, taking control over the owner/creator of a computer account should do the job.
The attack can then be conducted as follows.
Clear the controlled machine account
servicePrincipalName
attribute of any value that points to its name (e.g.host/machine.domain.local
,RestrictedKrbHost/machine.domain.local
)Change the controlled machine account
sAMAccountName
to a Domain Controller's name without the trailing$
-> CVE-2021-42278Request a TGT for the controlled machine account
Reset the controlled machine account
sAMAccountName
to its old value (or anything else different than the Domain Controller's name without the trailing$
)Request a service ticket with S4U2self by presenting the TGT obtained before -> CVE-2021-42287
Get access to the domain controller (i.e. DCSync)
CVE-2021-42287 is a privilege escalation vulnerability associated with the Kerberos Privilege Attribute Certificate (PAC) in Active Directory Domain Services (AD DS). CVE-2021-42278 is a Security Account Manager (SAM) spoofing security bypass vulnerability. Threat actors could leverage these flaws to escalate to domain administrator privileges from a standard user account.
Gaining domain administrator access
NoPac relies on changing the SamAccountName of a computer account to the name of a domain controller. By default, every authenticated user can add up to ten computers to the domain. The exploitation process includes the following steps:
What we will do is add a computer, clear the SPN of that computer, rename computer with the same name as the DC, obtain a TGT for that computer, reset the computer name to his original name, obtain a service ticket with the TGT we get previously and finally dcsync.
Get renameMachine.py and Addspn.py
Add a new computer
Clear the SPNs of our new computer (with dirkjan krbrelayx tool addspn)
Rename the computer (computer -> DC)
Obtain a TGT
Reset the computer name back to the original name
Obtain a service ticket with S4U2self by presenting the previous TGT
DCSync by presenting the service ticket
And voilà, we got all the north domain ntds.dit informations :)
Now clean up by deleting the computer we created with the administrator account hash we just get
Last updated