CVE-2022-26923
TryHackMe Room from @am03bam4n. Thanks to the creators!
Introduction
To be completed
Requirements
A low permission user is needed to perform this attack. This low permission user
has right to enroll a machine onto the domain and creating a computer account.
has the Validate write to DNS hostname right over the account machine enrolled.
has the Validate write to Service Principal Name (SPN) right over the account machine enrolled.
can request
Machine
certificate
Preparation: Installing the Certipy tool
As stated in the official Github repo, "Certipy is an offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS)".
I installed Certipy on my Kali Linux inside a python3 virtual environment.
Step 1: Requesting a certificate
In the command below, we are requesting a certificate based on the User template for our low privilege user thm.
As seen below, the certificate has been saved under thm.pfx.
Step 2: Verify the validity of the certificate
Again, Certipy can be used to verify that the issued certificate can be used for Kerberoast authentication.
As seen below, the authentication with the certificate has been successful and we could retrieve a TGT for the thm user. Impacket retrieves the user NT Hash by default.
Step 3: Adding a new computer on the domain
We can add a new computer on the domain using the addcomputer.py
script from Impacket. Then, we will be able to request a Machine certificate for this computer. The add of a new computer necessitates valid domain user credentials, so we use the thm user's credentials.
As seen below, the machine account associated with the new computer (THMPC$) on the domain has been created.
Step 4: Requesting a certificate for the machine account
Certipy can be used to request a certificate based on the Machine certificate template for the THMPC$ account.
Again, we verified the validity of the certificate using certipy. As seen below, we have been able to authenticate using the certificate and ask for a TGT to the KDC.
Step 5: Updating the dnsHostname and Service Principal Name (SPN) Attribute
Since the thm user is the owner of the THMPC object, he might have certain right by default on that object such as the ability to modify the dnsHostName and SPN. These two rights correspond to the Validate write to DNS hostname & Validate write to Service Principal Name (SPN) rights.
We will see that using the Powershell commandlets, we will be able to change the dhsHostname and Service Principal Name of our Computer AD Object.
But firstly, we logged in into a Powershell session using ssh and check our current properties for the THMPC object (focusing on the dnshostname and SPN properties)
We tried to update the dnsHostName
of the THMPC computer to the same than the Domain Controller. Our goal in doing that is to be able to request another certificate binded to the domain controller dnsHostName. We will then be able to authenticate to any others services on the domain using this certificate later on.
However, we got an error and the operation failed! This is due to the fact that when changing the dnsHostName, the domain controller change the SPN
of the object by default. Since the SPN is unique and that another object already have the LUNDC.lunar.eruca.com SPN, a conflict occurs and the operation failed.
It is possible to circumvent this error, by deleting the SPN property of our THMPC object since the thm user have the Validate write to Service Principal Name (SPN) right over the THMPC.
The SPN property of the object deleted, we can try again to modify the dnsHostName of the THMPC.
By checking the current property of the THMPC object, we could noticed that the dnsHostName has been successfully changed to LUNDC.lunar.eruca.com and that the serviceprincipalname property has been removed.
Step 6: Forging a Malicious Certificate
Now that we have modified the dnsHostName of the THMPC object, we can request again for a certificate. The CA issues certificate based on the dnsHostName of the requester so, in our case, although that the the certificate is requested for the THMPC object, the certificate will be issued for LUNDC, which is the domain controller.
We verified that we could authenticate as the Domain Controller to the KDC and request a TGT. Certipy also returned the NT Hash for the Domain Controller.
Having a valid certificate as the Domain Controller, we have the full compromise of the domain!
Mitigation
To be completed
Resource
Lyak, Oliver. (2022). Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923). Here.
Last updated