A new ADCS privesc was released: Certifried (CVE-2022-26923) with this blogpost after Microsoft patched it.
Here is an example on how to exploit this vulnerability with bloodyAD and PKINIT not supported from Linux.
We need to own a computer, either we pwned one or we can create one if ms-DS-MachineAccountQuota>0:
We create a Computer object cve in the LDAP:
Then we set the attribute dNSHostName (empty when we created the object) to match the Domain Controller DNS Hostname: CRASHDC.crashlab.local.
To check if the attribute has been correctly set:
Now we can use Certipy to request a certificate for the computer cve:
Now we’ll try to get a TGT using Certipy with the certificate requested above:
PKINIT doesn’t seem to work on this AD, let’s try RBCD technique with bloodyAD and its certificate authentication feature:
Delegation rights are set up, we can now use impacketgetST.py to impersonate a Domain admin (emacron in our case) on CRASHDC$ and fetch a TGT:
Finally we’ll use impacketsecretsdump.py to perform a DCSync with the exported TGT:
tags: ad - privesc - bloodyad - kerberos - authentication