Semi Manual Exploit
Last updated
Last updated
In November 2021, two vulnerabilities caught the attention of many security researchers as they could allow domain escalation from a standard user.
Computer accounts should have a trailing $ in their name (i.e. sAMAccountName attribute) but no validation process existed to make sure of it. Abused in combination with CVE-2021-42287, it allowed attackers to impersonate domain controller accounts.
When requesting a Service Ticket, presenting a TGT is required first. When the service ticket is asked for is not found by the KDC, the KDC automatically searches again with a trailing $. What happens is that if a TGT is obtained for bob, and the bob user gets removed, using that TGT to request a service ticket for another user to himself (S4U2self) will result in the KDC looking for bob$ in AD. If the domain controller account bob$ exists, then bob (the user) just obtained a service ticket for bob$ (the domain controller account) as any other user .
The ability to edit a machine account's sAMAccountName and servicePrincipalName attributes is a requirement to the attack chain. The easiest way this can be achieved is by creating a computer account (e.g. by leveraging the MachineAccountQuota domain-level attribute if it's greater than 0). The creator of the new machine account has enough privileges to edit its attributes. Alternatively, taking control over the owner/creator of a computer account should do the job.
The attack can then be conducted as follows.
Clear the controlled machine account servicePrincipalName attribute of any value that points to its name (e.g. host/machine.domain.local, RestrictedKrbHost/machine.domain.local)
Change the controlled machine account sAMAccountName to a Domain Controller's name without the trailing $ -> CVE-2021-42278
Request a TGT for the controlled machine account
Reset the controlled machine account sAMAccountName to its old value (or anything else different than the Domain Controller's name without the trailing $)
Request a service ticket with S4U2self by presenting the TGT obtained before -> CVE-2021-42287
Get access to the domain controller (i.e. DCSync)
CVE-2021-42287 is a privilege escalation vulnerability associated with the Kerberos Privilege Attribute Certificate (PAC) in Active Directory Domain Services (AD DS). CVE-2021-42278 is a Security Account Manager (SAM) spoofing security bypass vulnerability. Threat actors could leverage these flaws to escalate to domain administrator privileges from a standard user account.
NoPac relies on changing the SamAccountName of a computer account to the name of a domain controller. By default, every authenticated user can add up to ten computers to the domain. The exploitation process includes the following steps:
What we will do is add a computer, clear the SPN of that computer, rename computer with the same name as the DC, obtain a TGT for that computer, reset the computer name to his original name, obtain a service ticket with the TGT we get previously and finally dcsync.
Add a new computer
Clear the SPNs of our new computer (with dirkjan krbrelayx tool addspn)
Rename the computer (computer -> DC)
Obtain a TGT
Reset the computer name back to the original name
Obtain a service ticket with S4U2self by presenting the previous TGT
DCSync by presenting the service ticket
And voilà, we got all the north domain ntds.dit informations :)
Now clean up by deleting the computer we created with the administrator account hash we just get
